Secure Coding mailing list archives
Re: Java keystore password storage
From: Nash <nash () solace net>
Date: Wed, 27 Apr 2005 15:27:47 +0100
On Tue, Apr 26, 2005 at 11:28:46AM -0400, Chris Matthews wrote:
David Crocker wrote: At issue is not the mechanical method of storing the password; it is the fundamental insecurity of storing a password such that an automated process may recover/use said password. If an automated process can recover the password, chances are very good an attacker can, and no cryptographical algorithim will solve that issue. The system is weak, not the individual components.
This isn't a "fundamental insecurity." Its just built-in risk. Maybe that's what you mean, but calling it "insecurity" sounds highly categorical. Running programs have to identify themselves and there are a variety of ways they might do that, but not all of them can involve user interaction. That doesn't make "fundamentally insecure and it doesn't mean that "chances are very good" attackers can compromise the credentials. Not all identities have to be perfectly defended. -nash -- An ideal world is left as an exercise for the reader. - Paul Graham
Current thread:
- Re: Java keystore password storage, (continued)
- Re: Java keystore password storage Blue Boar (Apr 25)
- Re: Java keystore password storage Nash (Apr 25)
- RE: Java keystore password storage Chris Matthews (Apr 25)
- RE: Java keystore password storage David Crocker (Apr 25)
- Re: Java keystore password storage Edgar Danielyan (Apr 26)
- Re: Java keystore password storage Michael Silk (Apr 26)
- Re: Java keystore password storage Edgar Danielyan (Apr 26)
- Re: Java keystore password storage Edgar Danielyan (Apr 26)
- Re: Java keystore password storage Blue Boar (Apr 26)
- Re: Java keystore password storage ljknews (Apr 26)
- RE: Java keystore password storage Chris Matthews (Apr 26)
- Re: Java keystore password storage Nash (Apr 27)
- Re: Java keystore password storage Mark (May 03)
- RE: Java keystore password storage Goertzel Karen (Apr 25)
- Re: Java keystore password storage Fredrik Hesse (Apr 25)
- RE: Java keystore password storage Michael Howard (Apr 25)
- RE: Java keystore password storage john bart (Apr 26)
- RE: Java keystore password storage Michael Howard (Apr 26)
- RE: Java keystore password storage Scott, Richard (May 18)
- RE: Java keystore password storage Scott, Richard (Jun 24)