[Java-project] Encrypting passwords

Amer2 rnmisrahi at ameritech.net
Mon Jun 16 09:36:50 EDT 2008


Regarding password, you may want to hash instead of encrypt/decrypt. This
strengthens confidentiality, since you test the password against a hash, no
one really knows what the password was.

Nevertheless, you have a good point.
Wherever you store the key that decrypts or hashes a DB password could be
accessible by anyone (including hard-coding the key in the application).

Some ideas: Store the key in 2 or 3 different files.

This is when "obscuring" as opposed to securing is not clear-cut. Hackers
would need to know where and how you stored the key.


Ruben Misrahi

  -----Original Message-----
  From: java-project-bounces at lists.owasp.org
[mailto:java-project-bounces at lists.owasp.org]On Behalf Of David Campbell
  Sent: Saturday, June 14, 2008 9:21 PM
  To: java-project at lists.owasp.org
  Subject: [Java-project] Encrypting passwords


  Hi guys,

  I just wondered if people have any thoughts on best practices for
encrypting applications passwords.  For example, storing database
credentials.
  It appears to me to be a bit of a "chicken and egg" type problem.   Any
thoughts are welcome.

  David



----------------------------------------------------------------------------
--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/java-project/attachments/20080616/82c009c0/attachment.html 


More information about the Java-project mailing list