Secure Coding mailing list archives

Re: Java keystore password storage

From: Blue Boar <BlueBoar () thievco com>
Date: Tue, 26 Apr 2005 12:51:55 +0100

David Crocker wrote:

I'm by no means an expert in the field of security and Java, but I believe that
the usual technique is to encode the password that the user types using a 1-way
hashing algorithm, then store (and hide/protect) the encoded version and use
that as the password. If an attacker manages to read the password hash, he still
has to construct a password that will encode to the same value.


That only works if you're the "server", or more accurately, the process
that needs to verify the password.  If you're the "client", or the
process that needs to supply the password, that doesn't help you.

                                        Ryan

Current thread:

Java keystore password storage john bart (Apr 25)
- Re: Java keystore password storage Blue Boar (Apr 25)
- Re: Java keystore password storage Nash (Apr 25)
- RE: Java keystore password storage Chris Matthews (Apr 25)
- RE: Java keystore password storage David Crocker (Apr 25)
  - Re: Java keystore password storage Edgar Danielyan (Apr 26)
    - Re: Java keystore password storage Michael Silk (Apr 26)
    - Re: Java keystore password storage Edgar Danielyan (Apr 26)
  - Re: Java keystore password storage Blue Boar (Apr 26)
    - Re: Java keystore password storage ljknews (Apr 26)
  - RE: Java keystore password storage Chris Matthews (Apr 26)
    - Re: Java keystore password storage Nash (Apr 27)
- Re: Java keystore password storage Mark (May 03)
- <Possible follow-ups>
- RE: Java keystore password storage Goertzel Karen (Apr 25)
- Re: Java keystore password storage Fredrik Hesse (Apr 25)
- RE: Java keystore password storage Michael Howard (Apr 25)
  - RE: Java keystore password storage john bart (Apr 26)
- RE: Java keystore password storage Michael Howard (Apr 26)
- RE: Java keystore password storage Scott, Richard (May 18)

(Thread continues...)