tag:blogger.com,1999:blog-8712770457197348465.post8393780664137740342..comments2024-03-18T23:01:42.768-07:00Comments on Javarevisited: Dealing with Password in Java Application? 5 Best Practices You Should Followjavin paulhttp://www.blogger.com/profile/15028902221295732276noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-8712770457197348465.post-58407483376955732552012-07-25T05:39:19.497-07:002012-07-25T05:39:19.497-07:00This is where something like .NET's SecureStri...This is where something like .NET's SecureString might be useful in Java....Richard Hashhttps://www.blogger.com/profile/07526213601735023516noreply@blogger.comtag:blogger.com,1999:blog-8712770457197348465.post-79912340921942071672012-07-25T05:15:35.663-07:002012-07-25T05:15:35.663-07:00Hi Richard, you bring valid point, Its not always ...Hi Richard, you bring valid point, Its not always possible.It depends upon information for SSN and passwords you got to be more secure than application specific details like JDBC passwords you can afford that, but having a naked password in config file is bad, rather you should have encrypted password there.Javin @ transient vs volatilehttp://javarevisited.blogspot.sg/2012/03/difference-between-transient-and.htmlnoreply@blogger.comtag:blogger.com,1999:blog-8712770457197348465.post-8674338628043264222012-07-24T09:45:58.912-07:002012-07-24T09:45:58.912-07:00So how do you get around using java.sql DriverMana...So how do you get around using java.sql DriverManager or Driver? The APIs require a String object, which means at least once you'll have to convert your char[] to a String, and once you've done that, it's immutable, it's in memory, you can't overwrite it, and you are hosed....Richard Hashhttps://www.blogger.com/profile/07526213601735023516noreply@blogger.comtag:blogger.com,1999:blog-8712770457197348465.post-14530661692865873072012-06-11T22:52:30.219-07:002012-06-11T22:52:30.219-07:00Hi Javin,
I came up with an idea sometime back. B...Hi Javin,<br /><br />I came up with an idea sometime back. By using encrption. Check it out and give me your suggestion.<br /><br />http://freeze-cse.blogspot.co.uk/2012/05/pursuit-of-better-password-storing.html<br /><br />Regards,<br />FareezAnonymoushttps://www.blogger.com/profile/00990321901464126950noreply@blogger.comtag:blogger.com,1999:blog-8712770457197348465.post-38082796169448849922012-06-11T09:35:55.741-07:002012-06-11T09:35:55.741-07:002) Store password in char[] instead of String
Thi...2) Store password in char[] instead of String<br /><br />This is (IMHO) a bad idea for a few reasons:<br /><br />1. That's going to massively complicate things. Strings maintain information about character encodings - char[] (obviously) does not. So if you use char[], you have to be very careful to always use the same encoding. This is critical if you support non-US English users (and you Craighttps://www.blogger.com/profile/07986308516429741062noreply@blogger.comtag:blogger.com,1999:blog-8712770457197348465.post-19450385934525787532012-06-08T06:15:27.462-07:002012-06-08T06:15:27.462-07:00@atc, Indeed password should be hashed and salted ...@atc, Indeed password should be hashed and salted and most of Security framework like Spring Security supports this, point there was to atleast keep them encrypted instead of clear text. Thanks for asserting the need of hashed + salted password.Javin @ ldap authentication using spring securityhttp://javarevisited.blogspot.com/2011/11/ldap-authentication-active-directory.htmlnoreply@blogger.comtag:blogger.com,1999:blog-8712770457197348465.post-89657150546816702972012-06-08T06:06:04.408-07:002012-06-08T06:06:04.408-07:00Passwords should NOT be encrypted but in fact hash...Passwords should NOT be encrypted but in fact hashed using bcrypt + a per-password salt. Please amend this, it's bad advice!atchttp://atc.gd/noreply@blogger.com