Two Laptop Bag*
The moose likes Security and the fly likes How to store passwords securly Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "How to store passwords securly" Watch "How to store passwords securly" New topic
Author

How to store passwords securly

Sri Anand
Ranch Hand

Joined: Mar 06, 2005
Posts: 392
our application uses a FTP,SMTP,BO sever , we have a requirement to store all passords in database encrypted and retrieve it from java. how do i achieve this ? are there any tools already available for this ?
Martijn Verburg
author
Bartender

Joined: Jun 24, 2003
Posts: 3274
    
    5

Hi there,

Originally posted by Raghunandan Mamidala:
Our application uses a FTP, SMTP, BO sever, we have a requirement to store all passwords in database encrypted and retrieve it from java. How do I achieve this? are there any tools already available for this ?


If you're looking for a basic solution, the std JDK provides basic encrypt and decrypt functionality based on a few basic algorithms, just Google "java encrypt passwords" to see lots of examples.

Storing the Password
--------------------

You can use a stand alone java 'user' administration utility to encrypt a password for a user and store that password as a string in the database (std varchar field). A common gotcha here is the maximum length of an encrypted string after you encrypt it, make sure it fits in your database column!

Many database vendors also supply standalone tools or SQL functions for this (take plain text password and encrypt it).

Retrieving the password
-----------------------

When the 'user' then enters a plain text password for the relevant part of your system you 'simply compare' their password against the password in the database (see below).

You can do this in 2 ways, either:

* Encrypt the password coming in and compare that against the value in your database

OR

* Decrypt the password in the database and compare that against the value coming in.

Cheers,
Martijn


Cheers, Martijn - Blog,
Twitter, PCGen, Ikasan, My The Well-Grounded Java Developer book!,
My start-up.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42264
    
  64
But then you have to store the encryption key somewhere (in addition to the encrypted passwords). You don't say what you're trying to guard against - would this really be enhanced security?


Ping & DNS - my free Android networking tools app
Sri Anand
Ranch Hand

Joined: Mar 06, 2005
Posts: 392
we are usign Orien server , which takes care of encrtypting the Database login password.
What i am looking is to put all the other servers password encrypted (like FTP ,SMTP etc) so my question is how do we put it encrypted in DB and retrieve.
We dont want all these severs user names and passwords in clear text in a config file for security reasons
[ August 26, 2008: Message edited by: Raghunandan Mamidala ]
Jimmy Clark
Ranch Hand

Joined: Apr 16, 2008
Posts: 2187
Java simplified encryption - jasypt.org
[ August 26, 2008: Message edited by: James Clark ]
Martijn Verburg
author
Bartender

Joined: Jun 24, 2003
Posts: 3274
    
    5

Originally posted by Ulf Dittmer:
But then you have to store the encryption key somewhere (in addition to the encrypted passwords). You don't say what you're trying to guard against - would this really be enhanced security?


I typically have an encryption policy and key file on a secure location on the file system (read-only by root and the java admin user for the app).
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42264
    
  64
Well, sure, but if the database isn't safe from intruders, you gotta wonder what else may be compromised,
Martijn Verburg
author
Bartender

Joined: Jun 24, 2003
Posts: 3274
    
    5

Originally posted by James Clark:
Java simplified encryption - jasypt.org

[ August 26, 2008: Message edited by: James Clark ]


Hmm, gotta look into that, looks very useful for developers who aren't security gurus!
Sri Anand
Ranch Hand

Joined: Mar 06, 2005
Posts: 392
Do you think we can get some examples to look at, figuring it out by API looks tough
[ August 26, 2008: Message edited by: Raghunandan Mamidala ]
Michael Ku
Ranch Hand

Joined: Apr 20, 2002
Posts: 510
FYI - it is considered a bad practice to store a password anywhere including a DB. You hash the password and store this hash somewhere (say a DB). Then you match up to this hash value when the user enters a password by using the same hashing algorithm. This is why in some applications, when you ask for a lost password, you instead get a new password instead of the old one, because it does not exist anywhere.
Jimmy Clark
Ranch Hand

Joined: Apr 16, 2008
Posts: 2187
Thank you Michael!
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: How to store passwords securly