Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Java keystore password storage

From: "Chris Matthews" <cmatthews () xn com>
Date: Tue, 26 Apr 2005 22:06:08 +0100
David Crocker wrote:


I'm by no means an expert in the field of security and Java, but I

believe that

the usual technique is to encode the password that the user types using

a 1-way

hashing algorithm, then store (and hide/protect) the encoded version

and use

that as the password. If an attacker manages to read the password hash,

he still

has to construct a password that will encode to the same value.


At issue is not the mechanical method of storing the password; it is the
fundamental insecurity of storing a password such that an automated
process may recover/use said password.  If an automated process can
recover the password, chances are very good an attacker can, and no
cryptographical algorithim will solve that issue.  The system is weak,
not the individual components.

Cheers,
Chris
Previous By Date Next
Previous By Thread Next

Current thread: