our application uses a FTP,SMTP,BO sever , we have a requirement to store all passords in database encrypted and retrieve it from java. how do i achieve this ? are there any tools already available for this ?
Originally posted by Raghunandan Mamidala: Our application uses a FTP, SMTP, BO sever, we have a requirement to store all passwords in database encrypted and retrieve it from java. How do I achieve this? are there any tools already available for this ?
If you're looking for a basic solution, the std JDK provides basic encrypt and decrypt functionality based on a few basic algorithms, just Google "java encrypt passwords" to see lots of examples.
Storing the Password --------------------
You can use a stand alone java 'user' administration utility to encrypt a password for a user and store that password as a string in the database (std varchar field). A common gotcha here is the maximum length of an encrypted string after you encrypt it, make sure it fits in your database column!
Many database vendors also supply standalone tools or SQL functions for this (take plain text password and encrypt it).
Retrieving the password -----------------------
When the 'user' then enters a plain text password for the relevant part of your system you 'simply compare' their password against the password in the database (see below).
You can do this in 2 ways, either:
* Encrypt the password coming in and compare that against the value in your database
* Decrypt the password in the database and compare that against the value coming in.
But then you have to store the encryption key somewhere (in addition to the encrypted passwords). You don't say what you're trying to guard against - would this really be enhanced security?
Joined: Mar 06, 2005
we are usign Orien server , which takes care of encrtypting the Database login password. What i am looking is to put all the other servers password encrypted (like FTP ,SMTP etc) so my question is how do we put it encrypted in DB and retrieve. We dont want all these severs user names and passwords in clear text in a config file for security reasons [ August 26, 2008: Message edited by: Raghunandan Mamidala ]
Originally posted by Ulf Dittmer: But then you have to store the encryption key somewhere (in addition to the encrypted passwords). You don't say what you're trying to guard against - would this really be enhanced security?
I typically have an encryption policy and key file on a secure location on the file system (read-only by root and the java admin user for the app).
Joined: Mar 22, 2005
Well, sure, but if the database isn't safe from intruders, you gotta wonder what else may be compromised,
FYI - it is considered a bad practice to store a password anywhere including a DB. You hash the password and store this hash somewhere (say a DB). Then you match up to this hash value when the user enters a password by using the same hashing algorithm. This is why in some applications, when you ask for a lost password, you instead get a new password instead of the old one, because it does not exist anywhere.