Re: user password question?

Discussion in 'Java' started by DrAcKe, Jun 28, 2003.

  1. DrAcKe

    DrAcKe Guest

    On 26 Jun 2003 19:21:34 -0700, (Peter) wrote:

    >Hi
    > In my program, user have to enter correct password before use the
    >it. I encrypt the password and save it into a file. Good enough for
    >security?
    > Any improvement i can have?
    >
    >thanks
    >from Peter ()


    I think that save pass in a file could be a security breach.
    If user only have access to your program I think that policy
    it's good but if any user have access to all the system think that
    java classes can be decompiled.

    By3z, DrAcKe

    PS Sorry, but I don't know speak english well.
    DrAcKe, Jun 28, 2003
    #1
    1. Advertising

  2. DrAcKe

    rkm Guest

    > On 26 Jun 2003 19:21:34 -0700, (Peter) wrote:
    >
    >
    >>Hi
    >> In my program, user have to enter correct password before use the
    >>it. I encrypt the password and save it into a file. Good enough for
    >>security?
    >> Any improvement i can have?
    >>
    >>thanks

    >
    >>from Peter ()


    from the encryption texts I've read, if this is a one-way
    encryption with a sufficiently complex encryption algorithm
    (not reversible I mean), then the only way to produce the
    key you've stored in the file is to know the original
    password, or use brute force and try every possibility until
    you find it. But you should be able to thwart that.
    rkm, Jun 28, 2003
    #2
    1. Advertising

  3. DrAcKe

    Peter Guest

    Thank for the reply.
    Linux also save the user password in a text file. I guess it has no
    problem if the encryption is strong enough.

    thanks
    from Peter ()


    rkm <> wrote in message news:<>...
    > > On 26 Jun 2003 19:21:34 -0700, (Peter) wrote:
    > >
    > >
    > >>Hi
    > >> In my program, user have to enter correct password before use the
    > >>it. I encrypt the password and save it into a file. Good enough for
    > >>security?
    > >> Any improvement i can have?
    > >>
    > >>thanks

    >
    > >>from Peter ()

    >
    > from the encryption texts I've read, if this is a one-way
    > encryption with a sufficiently complex encryption algorithm
    > (not reversible I mean), then the only way to produce the
    > key you've stored in the file is to know the original
    > password, or use brute force and try every possibility until
    > you find it. But you should be able to thwart that.
    Peter, Jun 29, 2003
    #3
  4. There are free and cheap embedded Java databases available if you want them.
    http://sourceforge.net/projects/hsqldb/ is a well known one.

    "Peter" <> wrote in message
    news:...
    > thanks Macro
    > I am developing a commerical program, at the beginning i want to
    > use embedded database to store the users password. But it is too
    > expensive, so i am finding other way to store user password.
    >
    > thanks
    > from Peter ()
    >
    > Marco Schmidt <> wrote in message

    news:<>...
    > > Peter:
    > >
    > > > Linux also save the user password in a text file. I guess it has no
    > > >problem if the encryption is strong enough.

    > >
    > > But the password is saved in a file that only root can modify. Your
    > > Java program will have to check with a file that the user is not
    > > allowed to modify.
    > >
    > > Even then, the user could decompile the program, remove the password
    > > check and then run the modified program.
    > >
    > > What exactly does the program do that you want to keep away from
    > > users? Maybe there is a better way than on the application level.
    > >
    > > Regards,
    > > Marco
    Jeroen Wenting, Jul 4, 2003
    #4
  5. DrAcKe

    Roedy Green Guest

    On 29 Jun 2003 09:04:22 -0700, (Peter) wrote or
    quoted :

    > Linux also save the user password in a text file. I guess it has no
    >problem if the encryption is strong enough.


    It more likely saves a DIGEST of the password in a text file.

    See http://mindprod.com/jgloss/digest.html

    Given the digest it is not at all easy to guess the original password.

    In a client server situation, it does NOT help to send a digested
    password. If the communication is intercepted, the hacker can login
    just by sending the digest. He does not need to figure out the
    original password.


    In a highly secure system, the server has a public key which is no
    secret. It is also embedded in applets.

    The Applet encrypts the password using that public key. Only the
    server can decrypt them, since it is the only one with the matching
    private key.

    There are other techniques with challenge phrases the other party
    encrypts with its private key to prove it is who it claims to be.
    --
    Canadian Mind Products, Roedy Green.
    Coaching, problem solving, economical contract programming.
    See http://mindprod.com/jgloss/jgloss.html for The Java Glossary.
    Roedy Green, Jul 4, 2003
    #5
  6. DrAcKe

    Roedy Green Guest

    On 4 Jul 2003 00:09:50 -0700, (Peter) wrote or
    quoted :

    > I am developing a commerical program, at the beginning i want to
    >use embedded database to store the users password. But it is too
    >expensive, so i am finding other way to store user password.


    Probably a serialised array of digested passwords would suffice if you
    don't have huge numbers of users.
    --
    Canadian Mind Products, Roedy Green.
    Coaching, problem solving, economical contract programming.
    See http://mindprod.com/jgloss/jgloss.html for The Java Glossary.
    Roedy Green, Jul 4, 2003
    #6
  7. DrAcKe

    Sudsy Guest

    Roedy Green wrote:
    > On 29 Jun 2003 09:04:22 -0700, (Peter) wrote or
    > quoted :
    >
    >
    >> Linux also save the user password in a text file. I guess it has no
    >>problem if the encryption is strong enough.

    >
    >
    > It more likely saves a DIGEST of the password in a text file.
    >
    > See http://mindprod.com/jgloss/digest.html
    >
    > Given the digest it is not at all easy to guess the original password.
    >
    > In a client server situation, it does NOT help to send a digested
    > password. If the communication is intercepted, the hacker can login
    > just by sending the digest. He does not need to figure out the
    > original password.


    That's not how it works. The server sends a random value to the client
    which then uses the password in a one-way (trap-door) algorithm to
    generate the result returned to the server. The server applies the
    known client password to the random value using the same algorithm
    and compares the results. No match = no validation.
    Sudsy, Jul 4, 2003
    #7
  8. DrAcKe

    Roedy Green Guest

    On Fri, 04 Jul 2003 14:20:20 -0400, Sudsy <>
    wrote or quoted :

    >That's not how it works


    I was pointing you why you could NOT do it that simple way. I was not
    asserting it was done that way.

    --
    Canadian Mind Products, Roedy Green.
    Coaching, problem solving, economical contract programming.
    See http://mindprod.com/jgloss/jgloss.html for The Java Glossary.
    Roedy Green, Jul 5, 2003
    #8
  9. On Sun, 29 Jun 2003 09:04:22 +0000, Peter wrote:

    > Thank for the reply.
    > Linux also save the user password in a text file. I guess it has no
    > problem if the encryption is strong enough.


    It' not true, that is not a problem! In a well configured Linux the
    password file is readable by root only. You can do a very simple
    brute-force attack if you can download the file.

    You should also remember, that the same password for two different users,
    should not have the same encrypted text, for it's easy to guess passwords,
    that appear more than once for different users.

    - Sebastian
    Sebastian Hoehn, Jul 5, 2003
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.

Share This Page