Re: Putting passwords in a properties file?

On Fri, 25 Sep 2009 08:22:21 -0400, Lew wrote:

rossum wrote:
On Fri, 25 Sep 2009 11:43:13 +0200, Xavier Nayrac
<xavier____n_a_yrac@xxxxxxxxx> wrote:

Uli Kunkel a écrit :
I need to put a password for something as an application parameter.
For now I'm using a properties file but the password isn't encrypted.

I suppose I could encrypt with something and hardcode that encryption
key in the application..

Why use a key ? Why not use an hash (SHA*, md5) ?
As I understand the question, this is not a file of user passwords that
are checked when the users log on; for that purpose using a hash would
be correct. This appears to be a password to a back end application
(?database?) that the server is logging on to, and the server needs to
pass the actual password to the application, not a hash of the
password.

For this purpose the ability to decrypt to get back the original text
of the password is essential. Hence the need for a key.

What I've tried, but I cannot vouch for the non-hackability of it, is to
store the hash (e.g., MD5) of the password in the file or database.
When a user logs on, I compare the hash of their password to the stored
value.

I imagine that a hacker who obtained the stored value would have trouble
reversing the hash to a valid password.

This makes the ability to decrypt to get back the original text of the
password non-essential.

I would think it's pretty robust. It's what UNIX does (and maybe has
always done). UNIX doesn't store passwords in the passwd database (or
whatever other database it uses e.g. LDAP). It uses the crypt hashing
function and stores the hash. Any time it needs to authenticate a
password against the hash it crypts the password using the same algorithm
and compares that to the stored hash.

--
Nigel Wade

.

Relevant Pages

  • Re: Best practice for password hashing
    ... unless there is a database compromise. ... The most common scheme is never to store passwords, but to instead store a cryptographic hash of the password. ... That way, if the base machine is compromised, they can't guess very rapidly unless they can compromise both machines. ...
    (sci.crypt)
  • Re: Perl function for password encryption and decryption
    ... store them to a database. ... password and compare it to the database. ... hash what they entered and compare it to the stored hash. ...
    (perl.beginners)
  • Re: How to insert a parenthesis into a field
    ... scrambling the password is adequate to keep people from knowing that they ... scrambled password is altered, the hash won't work. ... Probably slows the database down a bit, ... store the string. ...
    (microsoft.public.sqlserver.server)
  • RE: Can Kerberos be cracked??
    ... Subject: Can Kerberos be cracked?? ... If you were able to decrypt the timestamp ... As for your assumption about the hash being as good as the password, ... > encrypt the timestamp) still be susceptible to brute-force> using dictionary ...
    (Focus-Microsoft)
  • Re: LAMP - Program Design with Perl
    ... Does that mean that the second column of the database stores all ... > into a hash and then go through all possible parameters ... strings with the info needed to access the data base. ... could store the info needed to display the data. ...
    (comp.lang.perl.misc)