Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is the best practice for securely storing passwords in Java

Tags:

What would be the recommended way for storing passwords in a Java desktop application?

I want the user to have the ability to enter the credencials only once and not be prompted again.

On personal projects I've been using the Preferences API, but I'm assuming this is no different than storing it in plain text (security wise).

Many thanks

EDIT:

Many thanks for your suggestions. There seems to be some confusion, no doubt because I might have not made the question very clear...

I'll give an hypotetical scenario:

Say I'm creating a simple front-end for a remote database which creates a connection string with username/password. Normally the user would be prompted to enter the username/password combination each time the application starts.

What would be the best way to store that password in the user's machine, without the need to re-enter it (connecting automatically upon application start).

A kind of "remember me" functionality (which I know in itself is not a very good practice...)

EDIT2:

Thanks for your answers everyone. Paŭlo Ebermann's was very informative about the problems at hand and Chris Smith's link was interesting, but I've accepted JVerstry's one, as keystores might be the route I'm taking.

like image 316
Rui Vieira Avatar asked Aug 10 '11 20:08

Rui Vieira


People also ask

What is the best way to store passwords in Java?

Currently, the most secure way to store passwords is using Password Based Encryption (PBE), which provides functions (called Key Derivation Functions (KDFs)) that will convert low entropy user passwords into random, unpredictable, and most importantly one-way, irreversible bytes of data.


2 Answers

You can use a local keystore where you could put passwords instead of secret keys.

Answer to edit:

Keystores are a perfect fit for your need. If you want extra protection, you could ask the user for one password to access all passwords when the user starts the application. Then, you could protect stored database password with a simple salt-and-stretch method (to generate an encryption key) using the one password that was used when starting the application.

like image 89
Jérôme Verstrynge Avatar answered Nov 17 '22 01:11

Jérôme Verstrynge


There is no way to store something on a computer in a way that your Java program can retrieve it (without the user entering some password), but no other program (running in the same user's account) on this computer can retrieve it.

You can try to encrypt it somehow and hide the decryption algorithm together with the decryption key in your program (white-box cryptography), but then the attacker just needs to run your program in a debugger to let it decrypt the data.

You could use the system's permission system, but this will usually not help if the attacker is some program running in the same user account as your Java program (and would help even less if the attacker has root access).

The best bet would be to store the password on a USB memory and tell the user to take it out when you are done using it, but if the attacking program is running and observing while you are reading the secret from the stick, even this does not help.

like image 38
Paŭlo Ebermann Avatar answered Nov 17 '22 02:11

Paŭlo Ebermann