-1

I have a Java desktop program in which I want to store credentials for login in the most secure way possible. I thought about using a database, but I have a bad feeling about it, I would just rather store it locally on the users end, but I also need it to be very secure. The software basically revolves about being secure.

So I thought about using several rounds of very strong encryption, if that is possible. Then I need to find how to securely store those credentials.

How would you proceed? What do you recommend?

Mark Rotteveel
  • 100,966
  • 191
  • 140
  • 197
eden annonay
  • 37
  • 1
  • 8
  • Most OSes have a store for such information, you could use that. But most likely you will need native code for that. – Marged Dec 04 '20 at 05:43
  • I don't think so in fact from my understanding of keystore (correct me if I'm wrong) all I would need to find the crypted credentials is the user's password (the one he uses to open a session) so that seems a little easy to me now I don't know the strenght of the encryption so I don't know about that – eden annonay Dec 04 '20 at 08:55

1 Answers1

2

Most preferred way to do is hashing the password if you want to store it in a database. This is used by most of the webapps such as WordPress.

You can encrypt and decrypt a password with an algorithm but you cannot 'unhash' a password.

How do you authorize?

Let's say your password is "12345" and you store it inside your database as "$1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/" in a hashed form.

So whenever a user enters his password, you hash that password again and compare both hashed passwords. You don't/can't 'decrypt' from database and compare them. There is no way to see a clear text of user's password when hashed.

Check this link to learn about hashing in java: How can I hash a password in Java?

tataelm
  • 679
  • 8
  • 17
  • What is the difference between hashing and encrypting though ? the hash would be stronger because you can't unhash ? I will validate your answer though as I think combining embedded database with hashing might be a very good start – eden annonay Dec 04 '20 at 08:44
  • Hashing is one way. As I mentioned, you can't get a clear text from a hashed password. In generally speaking, you don't have to get a clear text from a password, since authorisation can be done from hashed string too. This way you secure your user, that their passwords won't be revealed if anything happens to your system. – tataelm Dec 04 '20 at 09:50