1

At the start of my Java application, I have the user enter his username and password. These credentials are stored in a ConnectionKey object which is used as the application makes queries to a web service. Each query requires a valid username and password. Also, these queries are performed throughout the entire life of the application.

Right now I am storing the user password as simply a String in the ConnectionKey. I know this is highly insecure, and I would like to make this more secure by some sort of encryption. However, I need to be able to retrieve the original user password in order to query this web service.

  • How can I securely store the user password, while still using this password throughout the application?

Thanks!

EDIT

ConnectionKey is simply a class like so:

class ConnectionKey {

    private final String user;
    private final String pass;
    private final String server;

    public ConnectionKey(String user, String pass, String server) {
         this.user = user;
         this.pass = pass;
         this.server = server;
    }

}
souldzin
  • 1,428
  • 11
  • 23
  • What is the ConnectionKey? – Vitaly Apr 04 '13 at 22:03
  • Am I getting this right: the ConnectionKey is one of your classes that has the password in it (as a String)?. Where do you store your password when the application is not running? Are you storing the ConnectionKey in a file? – GameDroids Apr 04 '13 at 22:06
  • @GameDroids I only need to store the password while it is running – souldzin Apr 04 '13 at 22:07
  • 4
    Take a look at [this post](http://stackoverflow.com/questions/12937641/handling-passwords-used-for-auth-in-source-code) which covers this quite nicely. While the original question in the linked post refers to passwords in source code, the answer covers your scenario also. – Alan Apr 04 '13 at 22:07
  • @Alan I would +5 your comment.. but I can only +1. Anyway – SoulDZIN, If you are using a webservice that demands the users password credentials for every single transaction or query, you should have a look if this webservice does not provide you with more secure means to authenticate – like for example OAuth2.0. Transmitting the password and username for every request is really borderline unsafe. – GameDroids Apr 04 '13 at 22:14
  • @Alan thanks for that link! I think I have a good idea of what I need to do now. Thanks everyone! – souldzin Apr 05 '13 at 14:05
  • -1, its scary that you think that this is possible. – rook Apr 05 '13 at 15:18

1 Answers1

0

To begin with, I am sure that you read the following question on SO Why is char[] preferred over String for passwords? Which implies that if you have plain password, at least be it a char[] not String

Other than that, to securely store a user password, you should encrypt it with a well-known, well-tested (and usually one-way) encryption algorithm.

This maybe contradicts with what you asked and how you use ConnectionKey, but the problem is easy encrypt your password and change your api/methods where password is used.

For example, if you are trying to validate a ConnectionKey on the server side, change that method to work with encrypted passwords, that is, use the same encryption algorithm for the known password and compare it with the incoming encrypted one.

Community
  • 1
  • 1
Serkan Arıkuşu
  • 5,549
  • 5
  • 33
  • 50
  • duplicate question, all links were given in comments – Vitaly Apr 04 '13 at 22:15
  • I would change the way things are done on the server side, but I am unable to do that. I'm going to look into logging in only once at the beginning of the application. If that won't work, I will store the password as an encrypted char[] and simply decrypt before use. Thanks for the reply! – souldzin Apr 05 '13 at 14:13