• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

How to store passwords securly

 
Ranch Hand
Posts: 392
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
our application uses a FTP,SMTP,BO sever , we have a requirement to store all passords in database encrypted and retrieve it from java. how do i achieve this ? are there any tools already available for this ?
 
author
Posts: 3285
13
Mac OS X Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi there,

Originally posted by Raghunandan Mamidala:
Our application uses a FTP, SMTP, BO sever, we have a requirement to store all passwords in database encrypted and retrieve it from java. How do I achieve this? are there any tools already available for this ?



If you're looking for a basic solution, the std JDK provides basic encrypt and decrypt functionality based on a few basic algorithms, just Google "java encrypt passwords" to see lots of examples.

Storing the Password
--------------------

You can use a stand alone java 'user' administration utility to encrypt a password for a user and store that password as a string in the database (std varchar field). A common gotcha here is the maximum length of an encrypted string after you encrypt it, make sure it fits in your database column!

Many database vendors also supply standalone tools or SQL functions for this (take plain text password and encrypt it).

Retrieving the password
-----------------------

When the 'user' then enters a plain text password for the relevant part of your system you 'simply compare' their password against the password in the database (see below).

You can do this in 2 ways, either:

* Encrypt the password coming in and compare that against the value in your database

OR

* Decrypt the password in the database and compare that against the value coming in.

Cheers,
Martijn
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
But then you have to store the encryption key somewhere (in addition to the encrypted passwords). You don't say what you're trying to guard against - would this really be enhanced security?
 
Sri Anand
Ranch Hand
Posts: 392
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
we are usign Orien server , which takes care of encrtypting the Database login password.
What i am looking is to put all the other servers password encrypted (like FTP ,SMTP etc) so my question is how do we put it encrypted in DB and retrieve.
We dont want all these severs user names and passwords in clear text in a config file for security reasons
[ August 26, 2008: Message edited by: Raghunandan Mamidala ]
 
Ranch Hand
Posts: 2187
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Java simplified encryption - jasypt.org
[ August 26, 2008: Message edited by: James Clark ]
 
Martijn Verburg
author
Posts: 3285
13
Mac OS X Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Ulf Dittmer:
But then you have to store the encryption key somewhere (in addition to the encrypted passwords). You don't say what you're trying to guard against - would this really be enhanced security?



I typically have an encryption policy and key file on a secure location on the file system (read-only by root and the java admin user for the app).
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Well, sure, but if the database isn't safe from intruders, you gotta wonder what else may be compromised,
 
Martijn Verburg
author
Posts: 3285
13
Mac OS X Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by James Clark:
Java simplified encryption - jasypt.org

[ August 26, 2008: Message edited by: James Clark ]



Hmm, gotta look into that, looks very useful for developers who aren't security gurus!
 
Sri Anand
Ranch Hand
Posts: 392
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Do you think we can get some examples to look at, figuring it out by API looks tough
[ August 26, 2008: Message edited by: Raghunandan Mamidala ]
 
Ranch Hand
Posts: 510
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
FYI - it is considered a bad practice to store a password anywhere including a DB. You hash the password and store this hash somewhere (say a DB). Then you match up to this hash value when the user enters a password by using the same hashing algorithm. This is why in some applications, when you ask for a lost password, you instead get a new password instead of the old one, because it does not exist anywhere.
 
Jimmy Clark
Ranch Hand
Posts: 2187
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thank you Michael!
 
reply
    Bookmark Topic Watch Topic
  • New Topic