Java Keystore - Where to store the 'Master Password'?
Question
I am developing a Java Swing app that needs to hold passwords to remote servers. I have decided to use the KeyStore to accomplish this.
I store each password under an Alias/Master Password and retrieve them using the same Alias/Master Password.
My question is:
Where should the Master Password be stored?
This is not a cheap attempt at a paradox but a serious question and I am interested in knowing how this problem can be solved.
I don't have any real experience in this area and any help would be appreciated.
2 answers
solution1
1 2012-02-28 16:57:43
I store each password under an Alias/Master Password and retrieve them using the same Alias/Master Password.
There is a misunderstanding here.
The keystore is a container for your private credentials and trusted certificates and not just some generic database/hashtable to store passwords.
The best approach would be to store the hash of the password in the database.
Where should the Master Password be stored?
This is a very common problem that comes up very frequent.
Just keep it in your source code which, yes can be decompiled, but delegate the responsibility to the user to keep his account private so that this files are not stolen/examined eg via a decompiler
solution2
0 2012-02-28 16:58:52
The master password should either:
- be given online by the user
- or be stored encrypted with a user-given password. This last should be informed online by the user.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.