Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Java > Re: user password question?

Reply
Thread Tools

Re: user password question?

 
 
DrAcKe
Guest
Posts: n/a
 
      06-28-2003
On 26 Jun 2003 19:21:34 -0700, http://www.velocityreviews.com/forums/(E-Mail Removed) (Peter) wrote:

>Hi
> In my program, user have to enter correct password before use the
>it. I encrypt the password and save it into a file. Good enough for
>security?
> Any improvement i can have?
>
>thanks
>from Peter ((E-Mail Removed))


I think that save pass in a file could be a security breach.
If user only have access to your program I think that policy
it's good but if any user have access to all the system think that
java classes can be decompiled.

By3z, DrAcKe

PS Sorry, but I don't know speak english well.
 
Reply With Quote
 
 
 
 
rkm
Guest
Posts: n/a
 
      06-28-2003
> On 26 Jun 2003 19:21:34 -0700, (E-Mail Removed) (Peter) wrote:
>
>
>>Hi
>> In my program, user have to enter correct password before use the
>>it. I encrypt the password and save it into a file. Good enough for
>>security?
>> Any improvement i can have?
>>
>>thanks

>
>>from Peter ((E-Mail Removed))


from the encryption texts I've read, if this is a one-way
encryption with a sufficiently complex encryption algorithm
(not reversible I mean), then the only way to produce the
key you've stored in the file is to know the original
password, or use brute force and try every possibility until
you find it. But you should be able to thwart that.

 
Reply With Quote
 
 
 
 
Peter
Guest
Posts: n/a
 
      06-29-2003
Thank for the reply.
Linux also save the user password in a text file. I guess it has no
problem if the encryption is strong enough.

thanks
from Peter ((E-Mail Removed))


rkm <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)>...
> > On 26 Jun 2003 19:21:34 -0700, (E-Mail Removed) (Peter) wrote:
> >
> >
> >>Hi
> >> In my program, user have to enter correct password before use the
> >>it. I encrypt the password and save it into a file. Good enough for
> >>security?
> >> Any improvement i can have?
> >>
> >>thanks

>
> >>from Peter ((E-Mail Removed))

>
> from the encryption texts I've read, if this is a one-way
> encryption with a sufficiently complex encryption algorithm
> (not reversible I mean), then the only way to produce the
> key you've stored in the file is to know the original
> password, or use brute force and try every possibility until
> you find it. But you should be able to thwart that.

 
Reply With Quote
 
Jeroen Wenting
Guest
Posts: n/a
 
      07-04-2003
There are free and cheap embedded Java databases available if you want them.
http://sourceforge.net/projects/hsqldb/ is a well known one.

"Peter" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> thanks Macro
> I am developing a commerical program, at the beginning i want to
> use embedded database to store the users password. But it is too
> expensive, so i am finding other way to store user password.
>
> thanks
> from Peter ((E-Mail Removed))
>
> Marco Schmidt <(E-Mail Removed)> wrote in message

news:<(E-Mail Removed)>. ..
> > Peter:
> >
> > > Linux also save the user password in a text file. I guess it has no
> > >problem if the encryption is strong enough.

> >
> > But the password is saved in a file that only root can modify. Your
> > Java program will have to check with a file that the user is not
> > allowed to modify.
> >
> > Even then, the user could decompile the program, remove the password
> > check and then run the modified program.
> >
> > What exactly does the program do that you want to keep away from
> > users? Maybe there is a better way than on the application level.
> >
> > Regards,
> > Marco



 
Reply With Quote
 
Roedy Green
Guest
Posts: n/a
 
      07-04-2003
On 29 Jun 2003 09:04:22 -0700, (E-Mail Removed) (Peter) wrote or
quoted :

> Linux also save the user password in a text file. I guess it has no
>problem if the encryption is strong enough.


It more likely saves a DIGEST of the password in a text file.

See http://mindprod.com/jgloss/digest.html

Given the digest it is not at all easy to guess the original password.

In a client server situation, it does NOT help to send a digested
password. If the communication is intercepted, the hacker can login
just by sending the digest. He does not need to figure out the
original password.


In a highly secure system, the server has a public key which is no
secret. It is also embedded in applets.

The Applet encrypts the password using that public key. Only the
server can decrypt them, since it is the only one with the matching
private key.

There are other techniques with challenge phrases the other party
encrypts with its private key to prove it is who it claims to be.
--
Canadian Mind Products, Roedy Green.
Coaching, problem solving, economical contract programming.
See http://mindprod.com/jgloss/jgloss.html for The Java Glossary.
 
Reply With Quote
 
Roedy Green
Guest
Posts: n/a
 
      07-04-2003
On 4 Jul 2003 00:09:50 -0700, (E-Mail Removed) (Peter) wrote or
quoted :

> I am developing a commerical program, at the beginning i want to
>use embedded database to store the users password. But it is too
>expensive, so i am finding other way to store user password.


Probably a serialised array of digested passwords would suffice if you
don't have huge numbers of users.
--
Canadian Mind Products, Roedy Green.
Coaching, problem solving, economical contract programming.
See http://mindprod.com/jgloss/jgloss.html for The Java Glossary.
 
Reply With Quote
 
Sudsy
Guest
Posts: n/a
 
      07-04-2003
Roedy Green wrote:
> On 29 Jun 2003 09:04:22 -0700, (E-Mail Removed) (Peter) wrote or
> quoted :
>
>
>> Linux also save the user password in a text file. I guess it has no
>>problem if the encryption is strong enough.

>
>
> It more likely saves a DIGEST of the password in a text file.
>
> See http://mindprod.com/jgloss/digest.html
>
> Given the digest it is not at all easy to guess the original password.
>
> In a client server situation, it does NOT help to send a digested
> password. If the communication is intercepted, the hacker can login
> just by sending the digest. He does not need to figure out the
> original password.


That's not how it works. The server sends a random value to the client
which then uses the password in a one-way (trap-door) algorithm to
generate the result returned to the server. The server applies the
known client password to the random value using the same algorithm
and compares the results. No match = no validation.

 
Reply With Quote
 
Roedy Green
Guest
Posts: n/a
 
      07-05-2003
On Fri, 04 Jul 2003 14:20:20 -0400, Sudsy <(E-Mail Removed)>
wrote or quoted :

>That's not how it works


I was pointing you why you could NOT do it that simple way. I was not
asserting it was done that way.

--
Canadian Mind Products, Roedy Green.
Coaching, problem solving, economical contract programming.
See http://mindprod.com/jgloss/jgloss.html for The Java Glossary.
 
Reply With Quote
 
Sebastian Hoehn
Guest
Posts: n/a
 
      07-05-2003
On Sun, 29 Jun 2003 09:04:22 +0000, Peter wrote:

> Thank for the reply.
> Linux also save the user password in a text file. I guess it has no
> problem if the encryption is strong enough.


It' not true, that is not a problem! In a well configured Linux the
password file is readable by root only. You can do a very simple
brute-force attack if you can download the file.

You should also remember, that the same password for two different users,
should not have the same encrypted text, for it's easy to guess passwords,
that appear more than once for different users.

- Sebastian
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Change a users password without knowing the old password nor the answer to the password question AAaron123 ASP .Net 1 01-16-2009 02:56 PM
Changing a users password without knowing the old password nor the answer to the password question AAaron123 ASP .Net 2 01-16-2009 02:08 PM
How can Administrator change the Password of existing User, without knowing his Old Password in Administer Security Tool ? Luqman ASP .Net 5 07-12-2007 09:29 AM
I need to write an ASP that requires a user to give a User Name and Password to run it. Zachary Hilbun ASP .Net 4 12-20-2004 08:47 PM
Adding a password to Mozilla Password Manager Dirk Firefox 4 10-28-2003 10:00 PM



Advertisments