Secure Coding mailing list archives
Re: Java keystore password storage
From: ljknews <ljknews () mac com>
Date: Tue, 26 Apr 2005 22:05:39 +0100
At 7:20 PM -0700 4/25/05, Blue Boar wrote:
David Crocker wrote:I'm by no means an expert in the field of security and Java, but I believe that the usual technique is to encode the password that the user types using a 1-way hashing algorithm, then store (and hide/protect) the encoded version and use that as the password. If an attacker manages to read the password hash, he still has to construct a password that will encode to the same value.That only works if you're the "server", or more accurately, the process that needs to verify the password. If you're the "client", or the process that needs to supply the password, that doesn't help you.
At the client, a password should be entered by a human. Two factor identification would involve an RSA signature made by a portable device (e.g. Smartcard) which is enabled by a password known only to the user. Obviously the channel from the human to the device must be secure, typically by using a keypad on the device independent of the programmable computer system. -- Larry Kilgallen
Current thread:
- Java keystore password storage john bart (Apr 25)
- Re: Java keystore password storage Blue Boar (Apr 25)
- Re: Java keystore password storage Nash (Apr 25)
- RE: Java keystore password storage Chris Matthews (Apr 25)
- RE: Java keystore password storage David Crocker (Apr 25)
- Re: Java keystore password storage Edgar Danielyan (Apr 26)
- Re: Java keystore password storage Michael Silk (Apr 26)
- Re: Java keystore password storage Edgar Danielyan (Apr 26)
- Re: Java keystore password storage Edgar Danielyan (Apr 26)
- Re: Java keystore password storage Blue Boar (Apr 26)
- Re: Java keystore password storage ljknews (Apr 26)
- RE: Java keystore password storage Chris Matthews (Apr 26)
- Re: Java keystore password storage Nash (Apr 27)
- Re: Java keystore password storage Mark (May 03)
- <Possible follow-ups>
- RE: Java keystore password storage Goertzel Karen (Apr 25)
- Re: Java keystore password storage Fredrik Hesse (Apr 25)
- RE: Java keystore password storage Michael Howard (Apr 25)
- RE: Java keystore password storage john bart (Apr 26)
- RE: Java keystore password storage Michael Howard (Apr 26)
- RE: Java keystore password storage Scott, Richard (May 18)
- RE: Java keystore password storage Scott, Richard (Jun 24)