Possible Duplicate:
What is the best practice for securely storing passwords in Java
I am working on a java application and would like to save password locally on a file. I am not sure how to achieve this, any help would be appreciated.
Asked
Active
Viewed 5,874 times
4
Community
- 1
- 1
Tushar Chutani
- 1,522
- 5
- 27
- 57
-
2More info please - do you need the password to log into something else, or is it the password for the application you are writing? In other words, do you (the application) need to check the password, or provide it? – tdammers Sep 09 '11 at 05:40
-
1What exactly are you trying to do? Does this password need to be recoverable? – NullUserException Sep 09 '11 at 05:40
-
I am using the java mail api in order to save the password of the email id, so I guess it is a pretty sensetive information – Tushar Chutani Sep 09 '11 at 05:42
-
See related: http://stackoverflow.com/questions/7258072/storing-a-saved-password-in-open-source-application/7258540#7258540 – NullUserException Sep 09 '11 at 06:05
3 Answers
1
You don't provide much information for this.
My first advice would be not to save the password per se, but instead save its hash value.
When you need to verify that someone has provided the correct password just compare the hashes.
You could use for example MD5 for this Message Digest
If you need to be able to retrieve the password then you have to encrypt it.
For that you could use e.g. AES AES in Java but for symmetric encryption you have a new problem now, where to store the decryption key.
It depends on what you want to do and requirement.
Your question does not say much
Cratylus
- 52,998
- 69
- 209
- 339
-
This does not solve the problem: you will then have exactly the same issue when storing the key you use to encrypt the first password – Matteo Sep 09 '11 at 05:54
-
@Mateo:Depends on the requirements.The poster does not say much.Where to store the decryption password can be addressed in different ways depending on security requirements. – Cratylus Sep 09 '11 at 05:55
-1
You can use AES / DES algorithm and write the encrypted password to disk.
Rahul Choudhary
- 3,789
- 2
- 30
- 30
-
1This does not solve the problem: you will then have exactly the same issue when storing the key you use to encrypt the first password – Matteo Sep 09 '11 at 05:54
-
@Matteo It's [impossible](http://stackoverflow.com/questions/7258072/storing-a-saved-password-in-open-source-application/7258540#7258540) to securely store a retrievable password on a local machine. – NullUserException Sep 09 '11 at 06:05
-
1@NullUserExcaption: I know but you could ask the admin to enter the password at startup (if this is an option), you could at least store it in a place where only the (system) user running the application has access ... Depends on the use case. But what Rahul proposes does not make sense: to avoid storing the first password you have to store the second one (which you used to encrypt the first) – Matteo Sep 09 '11 at 06:24
-6
I finaly figured it out. What I did was simply converte the charecters into ascii code and then add or subract depending on the the situation.
Tushar Chutani
- 1,522
- 5
- 27
- 57
-
3your code can be decompiled and attackers can see how to read the password. – AlikElzin-kilaka Nov 08 '11 at 06:52
-
What if the formula is unknown I mean say suppose I add some number then multiply and then divide and so on how would one find out? – Tushar Chutani Nov 19 '11 at 06:49
-
1How to find it out? Simply by decompiling and running your code. – AlikElzin-kilaka Nov 20 '11 at 12:51