0

I have the following three lines in my little game which store the id and pass of a new user:

Properties prop = new Properties();
prop.setProperty(id, pass);
prop.store(new FileOutputStream(new File("path/to/project/src/properties.data")), "");

Unfortunately I've noticed that only by changing the properties file extension to txt all the users and passwords become visible and readable by anybody, which is a thing I don't really like. Please let me know of a good easy method to encrypt the file in some way.

The thing is I already searched about this but the answers don't really fit my needs, I don't expect my game files getting attacked by the biggest hackers so using AES or any other big popular libraries would be too much I'd say. What do you think?

Andrei Mesh
  • 256
  • 2
  • 20
  • 9
    For passwords you should use **hashing** not encryption. You can use something like bCrypt for this purpose. – Boris the Spider Jul 31 '16 at 22:43
  • http://www.mindrot.org/projects/jBCrypt/ found this. Looks cool to me – Andrei Mesh Jul 31 '16 at 22:50
  • 2
    There's not enough information here to suggest hashing instead of encryption. Do you use the stored password to login to a remote server? If so, hashing won't work. – erickson Jul 31 '16 at 23:41
  • For encryption (if that is the use case) of all data writen to a file, use a wrapping Cipher stream - see https://docs.oracle.com/javase/8/docs/api/javax/crypto/Cipher.html , http://docstore.mik.ua/orelly/java-ent/security/ch13_06.htm , http://stackoverflow.com/questions/6608529 etc. On the other hand, it may be appropriate to only encrypt individual fields. – user2864740 Aug 01 '16 at 00:24
  • "*I don't expect my game files getting attacked by the biggest hackers so using AES or any other big popular libraries would be too much I'd say.*" why do you conclude this? If you need to encrypt content use a proper encryption tool. Anything else is just obfuscation. – dimo414 Aug 01 '16 at 03:30

3 Answers3

3

First, everybody can read your password file, no matter if the extension is .txt or .data or whatever else. The extension is just a Windows trick to decide with which program to open the file, but it does nothing to the contents.

If you want to encrypt the password file, you'll need a key and / or a password for that, and then you need to figure out where and how to store that. You just postpone the problem.

If the file holds names and passwords of the players in your game, go with @Boris the Spider's advice: instead of saving (encrypted) passwords, just save the password's hash. When someone logs in, calculate the hash of the entered password and compare that to the hash you have saved. If they are equal, the user entered the correct password. See this question and the accepted answer for a possible way to do this.

Robert
  • 7,394
  • 40
  • 45
  • 64
1

Here's an excellent article on storing passwords securely. The examples are in C#, not Java, but it's still a helpful discussion: https://blog.mking.io/password-security-best-practices-with-examples-in-csharp/

I also strongly recommend the book "24 Deadly Sins of Software Security" by Michael Howard and David LeBlanc as a more general overview of common security bugs and how to avoid them.

EJoshuaS - Stand with Ukraine
  • 11,977
  • 56
  • 49
  • 78
0

I faced a similar problem and I took resort in writing an AES encrypted string in file (in my case, users were asked to take encrypted key from administrators to put into property files, so I provided a method to encrypt password to them too) and then decrypting it in the method where I am reading it.

RAHUL ROY
  • 126
  • 2
  • 13