How and where to store master password for a Java desktop application

Question

I am working on a small java desktop application that stores users passwords on a .db file. When the user creates a new database, the user must create a master password for that database, in order to access any facebook or twitter passwords that they may choose to store on it. My question is, where and how should I securely store the master password?

My idea was to encrypt the master password and add a salt before storing it, then store the password on an encrypted text file or .db file, then read of it when a user attempts to access the database. I am just looking for guidance on whether this is a good idea, or if there are any better alternatives.

The application a desktop application not a web application.

Answer 1

The most secure way to store passwords is in such a way that even you (your app) doesn't know what the password is. This is accomplished by using a one way hash. As the name implies this is one way, there is no way to "un-hash" a hashed value and see what the original value was.

One of the important characteristics of a cryptographic hash is that hashing a value will always produce the same hash.The SHA-2 (256) hash of "The quick brown fox jumps over the lazy dog" will always generate a hash d7a8fbb307d7809469ca9abcb0082e4f8d5651e46d3cdb762d02d0bf37c9e592 - while there is no way to take that hash and determine what the unhashed value is a hacker with a rainbow table could see what it corresponds to (this is why weak passwords, even when hashed are still vulnerable, every rainbow table in the world is going to have the hashes for 123456).

So before hashing the password we add a salt (ideally a different salt for each user). If before hashing "The quick brown fox jumps over the lazy dog" we add a salt (let's just use the word "salt" as a simple example) we would now hash "saltThe quick brown fox jumps over the lazy dog" and get b369837c6389d8dddb06cb669961b0ab80f5166cc8cebcfaf9734ed009c31e8b as our hash.

The salted hash is what you should store (however/wherever makes sense for your application) and check against. So when a user first creates an account you will:

1. take the password they choose and add the salt
2. hash it (using a collision free cryptographic hash, such as SHA-2)
3. store the result

When the user attempts to login you will:

1. take the password they input into the login form and add the salt
2. hash it
3. compare it to what you have stored

If it is not identical they entered the incorrect password, if it is the same you know they entered the correct password and you can log them in.