[Java-project] Re : Encrypting passwords

David Campbell dcamp98 at hotmail.com
Mon Jun 16 10:37:46 EDT 2008

Thanks Michel,
That is sort of the conclusion I came too.  I suppose you could also store it in a token such as a smart card device and have the administrator start the application.  In the past, I have generated the key from hard coded text strings dispersed in the code.  Not perfect but a little better.   It doesn't appear there is an ideal solution yet.
I'll have a look at your paper. Thanks.


Date: Mon, 16 Jun 2008 14:13:16 +0000
From: mprunet at yahoo.fr
Subject: Re : [Java-project] Encrypting passwords
To: dcamp98 at hotmail.com; java-project at lists.owasp.org

Hi David,
I wrote an article here : http://www.owasp.org/index.php/Hashing_Java maybe it can help !
It's only on application passwords. I'll appreciate your inputs. 
For database password maybe you can store it in an encrypted file. 
A lot of application uses encrypted file with a predefined key. In that case you enter in the "chicken and egg" problem. 
If you want this file to be really secure, the administrator has to type in the decryption password (PBE Algorithm) each time the server is starting. 


----- Message d'origine ----
De : David Campbell <dcamp98 at hotmail.com>
À : java-project at lists.owasp.org
Envoyé le : Dimanche, 15 Juin 2008, 3h21mn 12s
Objet : [Java-project] Encrypting passwords

Hi guys,

I just wondered if people have any thoughts on best practices for encrypting applications passwords.  For example, storing database credentials.
It appears to me to be a bit of a "chicken and egg" type problem.   Any thoughts are welcome.


Envoyé avec Yahoo! Mail.
Une boite mail plus intelligente. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/java-project/attachments/20080616/38a7e12c/attachment.html 

More information about the Java-project mailing list