Securely store user account details required for use in code

Question

I am building an application that interacts with a web service. In order to use that web service I have to login using my actual username and password - there is no other way to use the service.

I do not want to hard code in my details, like so:

String username = "MyUsername";
String password = "MyPassword";

I have thought about encrypting the details and storing them in a file, but, even so, anyone who has some programming experience can easily recover the information by looking at my source code:

File f = load("mydetails.txt");
String[] = recoverDetails(f); //or something like that

What is the safest way for me to store this information?

Answer 1

If you really want them to be safe, you're going to have to lock them into a cryptographically secure "vault" file. Somebody — you or somebody trusted, however that's appropriate here — would provide a key to unlock the vault (basically another password), and then your software would be able to access the information stored in it.

If there is no human with a secret involved in starting the application, then there's really not going to be any way to totally hide the information. This is just a simple fact of reality, one that many people (like the DVD consortium) struggle to deny at their own peril.

Answer 2

To store it in a file, but make the file read-only and only readable by the service process.

If you want to give your application away, there is NO WAY to secure it in a way where the login information cannot be recovered. Sorry.

Usually this is handled by providing server side security, and by giving each user of your public API their own credentials. It is like Google Maps, where you have to get a special key and use this to use the API, so Google can track if you use the API in a legal way.

Answer 3

You do not mention where the code is deployed. If your application runs on your customer's machine and makes the web service request directly, there is no way to prevent someone from obtaining the credentials. Even if you encrypted them, the application has to be able to render them usable therefore the decryption key must be available to it, and thus to your user. Even if you could encrypt it securely, the user has other methods since it's their box, for example sniffing the outbound network traffic.

If the code making the web service call is on your server then you have the same problem but at least control the environment. At some point the server MUST render the encrypted credentials into usable form to make the web service request, therefore you can encrypt the web service credentials but a password or certificate must be available to the code to access them. Unless there's a human hanging around to enter the pass-phrase for the certificate each time, all this does is nest credentials but does not secure them.

The answer to this of course, is not to try to solve the problem of an unsecure web service requirement in your code. Either find a more secure equivalent web service that you can call (perhaps one that uses an API key and user's own credentials or generates a secure token) or lobby the web service provider to do it the right way. Look at all the recent advances in security on Twitter and Facebook - user demand can make a difference.

Answer 4

Since you're suggesting that people will be able to see your code i'm guessing they will also be able to run the software on their hardware (meaning they have root and any read-only restriction will fail, ultimately).

The only secure way that i can think of is the following:

• Get yourself an e-signature on a smart card
• Encrypt the password with your public key and store it

This way the only way to use your credentials will be by decrypting them with the private key which is stored read-only on your card and accessed with an additional password (PIN code).

As Pointy mentioned, if there is no human element holding a secret (PIN code to the private key and physical ownership of the smartcard), there is no way to have the information 100% secure.

Answer 5

You should use a hashing function and your database passwords should not be stored as plaintext but rather as hash values. Then you only provide the hash to the database and as in it there is also a hash, you don't have anything to worry about.

If you, however, must use in your program the plaintext, then an attacker with a debugger can find the values of username and password AT the moment you supply them to the database. More so, an outside attacker can observe your network with a sniffing tool (e.g wireshark) and just obtain the values if you use an insecure network protocol. Thus, it is not recommended at all to have any plaintext username password pair during the flow of your program.

If you have to do that, anyway, the bestest and safest way is to encrypt your username/password pair and when time comes for them to be sent to the server you should decrypt them and send them as plaintext as the server won't understand the encryption. If you, however, have any access to the server, maybe you should tinker with it a bit so it doesn't store passwords as plaintext.

Cheers.

Answer 6

As other people have pointed out, there is no magic way to cloak your password (it's a logical impossibility, c.f. DVD copy protection), but there are some security precautions you should take to minimize the potential for damage.

If you don't control the server (e.g. you are running your app on a shared host), then:

• Ensure the web service account you are logging into (with MyUsername/MyPassword) has only the minimum permissions necessary for the purpose of this app.
• Use this account for only one deployment (so that if it's ever compromised, you can lock out this account without affecting other apps/installations).

And if you do control the server, then in addition:

• Secure the server, i.e. normal ongoing sysadmin tasks such as firewalling, installing the latest patches, monitoring logs, etc.