0

I have read several topics about this situation and found some solutions, but I´m not quite sure if they fit for my project.

For example this topic: https://stackoverflow.com/questions/10306673/securing-a-password-in-a-properties-file

In my web application a user can register and do stuff on my homepage, where he has to be logged in. I´m saving the password with SCrypt. The user can log in by typing in the password in clear text, the password gets checked against the encrypted password in the database. If the password is correct, then the user has access to the control center.

Registered AND non registered users can send emails to my e-mail account with a contact form.

This contact form calls a Bean, which sends an email. To send this E-Mail I have to store the account information somewhere.

The problem is, that I have to get the password decrypted. If I save the information encrypted the account validation fails.

Saving the password in plain text is absolute horror.

I thought about setting the passwords into a property in an application scoped bean after the application has started, but I´m not sure if this is a save way.

Another option is a file, which the application reads from, if the password is needed. But in this file the password is decrypted.

What is the best way to save a password, which is needed by the application?

EDIT1 06.04.2016 12:48:

I need the password decrypted for my EmailBean, so the bean can login into my e-mail account and send the message.

Community
  • 1
  • 1
Rallenaldo
  • 107
  • 8
  • For which reason / task do you need the password unencrypted? Saving or using the password unencrypted is most probably wrong concept. – Vampire Apr 06 '16 at 10:36
  • Are you saying that you need the user to send the password AFTER he is logged in? – Jim Apr 06 '16 at 10:38
  • You might want to investigate "Hashing". Roughly: You are not storing the password (neither plaintext nor encrypted) but a hash of it. When the user types in the password, the same hash function will be applied to it and compared with the stored hash. Of course, there is a lot more to that. You still have to securely transfer ... Salt&Pepper ... and so on and so on. – Fildor Apr 06 '16 at 10:38
  • @Fildor he is using SCrypt which even cryptographically secures the hash, so I think this is more a conceptual problem of the OP. :-) – Vampire Apr 06 '16 at 10:40
  • @Vampire Oh I see. Thanks. Thought he just encrypts the plaintext-pw. – Fildor Apr 06 '16 at 10:41
  • Hi. My problem is, that I need the password decrypted for my EmailBean, so it can log in into my e-mail account and send the E-Mail. – Rallenaldo Apr 06 '16 at 10:47
  • Aaaahhh, totally confusing! So your actual problem is to store SMTP credentials ... or even one specific instance of credential. Is your site self-hosted? – Fildor Apr 06 '16 at 10:51
  • At the moment I only have my homepage local on my Glassfish server, but I am going to rent a v-server this week and I want to put my homepage online – Rallenaldo Apr 06 '16 at 11:02

1 Answers1

0

Well, if you need the password to auth against your mail server, you need it in plaintext somewhere. If you do not lift the requirement to have the password, e. g. by configuring your mail server to accept mails from your IP without password, then the best you can do is to obfuscate the password by some encrypting. But it has to be something reversible and your code will reverse it. So if someone breaks into the system and has access to your code, he will also be able to decrypt and retrieve your password. But at least it will not be in plaintext in the file.

Vampire
  • 35,631
  • 4
  • 76
  • 102
  • Thank you for your answer. What is the problem with a config.properties file? I was told that it is not accessible for someone outside of the server. If someone brakes into the system, he will most likly be able to get the passwords anyway. Is a config file a secure solution? – Rallenaldo Apr 06 '16 at 19:47
  • I'd say it is satisfactory, as long as your system is secured properly so that the file cannot be accessed. Encrypting it in the file is just another barrier if someone manages to break into the system he is maybe not firm enough to decrypt it. So it is just another security measure. Whether you take it or not is up to you. – Vampire Apr 07 '16 at 08:27