1

I'm creating a simple java-based login system. It asks for login details and check a text file to see if the credentials matches. If they do, user is allowed to pass through the security. As of now anyone can just open the '.txt' file and read the credentials. I want to prevent that from happening. How can I do that?

P.S.- I'm still learning the basics and saving DBMS for later, so that's that.

Shivam Dhawan
  • 47
  • 7
  • You're storing passwords in a data store, except the data store is a flat-file instead of a database (which means for the nth user you have to go through (n-1) passwords to find them, which makes it **very** insecure). It's *possible*, but the bigger question is...if you're just learning this stuff, why bother with the file system at all? Why not go half-hog and use the database? – Makoto Aug 26 '16 at 20:44
  • Because I don't know how database languages well enough to implement them with java. As I said, I'm still learning stuff. – Shivam Dhawan Aug 26 '16 at 20:47
  • That's precisely my point. There's a lot of danger in trying to roll your own login system, and it does require that one understands the components of an actual login system. Since you're learning, I personally do see this as an opportunity to learn some of the better approaches. I can respect that you want the basic approach, but in all seriousness, you *don't* want to learn one really, really bad but "it works" approach to use later on. – Makoto Aug 26 '16 at 20:48
  • I am not going to roll out the login system. It is just a project I'm doing for myself. Besides, it's not just about this project, it's about learning how I can store data(any kind of data) in a file without allowing users to read it. – Shivam Dhawan Aug 26 '16 at 20:51
  • 5
    You should never encrypt your user's passwords. You need to use hashing instead with some strong ones being PBKDF2, bcrypt, scrypt and Argon2. Since hash functions are one-way function, you won't be able to "decrypt" the hashes. In order to authenticate your user, you can run the password through the hash function again in order to compare with the hash that is stored in the database. See more: [How to securely hash passwords?](http://security.stackexchange.com/q/211/45523) – Artjom B. Aug 26 '16 at 20:54

1 Answers1

0

Bottom line: Use a hashing algorithm, and learn what salting and hashing means. You can still store your passwords in a textfile, and you don't have to learn anything about databases.

If you're new but at the point where you're accepting login information, it's time to learn what hashing means.

Nate Vaughan
  • 3,471
  • 4
  • 29
  • 47