Secure Coding mailing list archives
RE: Java keystore password storage
From: "Chris Matthews" <cmatthews () xn com>
Date: Tue, 26 Apr 2005 22:06:08 +0100
David Crocker wrote:
I'm by no means an expert in the field of security and Java, but I
believe that
the usual technique is to encode the password that the user types using
a 1-way
hashing algorithm, then store (and hide/protect) the encoded version
and use
that as the password. If an attacker manages to read the password hash,
he still
has to construct a password that will encode to the same value.
At issue is not the mechanical method of storing the password; it is the fundamental insecurity of storing a password such that an automated process may recover/use said password. If an automated process can recover the password, chances are very good an attacker can, and no cryptographical algorithim will solve that issue. The system is weak, not the individual components. Cheers, Chris
Current thread:
- Java keystore password storage john bart (Apr 25)
- Re: Java keystore password storage Blue Boar (Apr 25)
- Re: Java keystore password storage Nash (Apr 25)
- RE: Java keystore password storage Chris Matthews (Apr 25)
- RE: Java keystore password storage David Crocker (Apr 25)
- Re: Java keystore password storage Edgar Danielyan (Apr 26)
- Re: Java keystore password storage Michael Silk (Apr 26)
- Re: Java keystore password storage Edgar Danielyan (Apr 26)
- Re: Java keystore password storage Edgar Danielyan (Apr 26)
- Re: Java keystore password storage Blue Boar (Apr 26)
- Re: Java keystore password storage ljknews (Apr 26)
- RE: Java keystore password storage Chris Matthews (Apr 26)
- Re: Java keystore password storage Nash (Apr 27)
- Re: Java keystore password storage Mark (May 03)
- <Possible follow-ups>
- RE: Java keystore password storage Goertzel Karen (Apr 25)
- Re: Java keystore password storage Fredrik Hesse (Apr 25)
- RE: Java keystore password storage Michael Howard (Apr 25)
- RE: Java keystore password storage john bart (Apr 26)
- RE: Java keystore password storage Michael Howard (Apr 26)
- RE: Java keystore password storage Scott, Richard (May 18)
- RE: Java keystore password storage Scott, Richard (Jun 24)