d2jsp
Log InRegister
d2jsp Forums > Off-Topic > Computers & IT > Programming & Development > How To Securely Store Credentials?
Add Reply New Topic New Poll
Views: 249Replies: 2Track Topic
Member
Posts: 5,988
Joined: May 6 2006
Gold: 30.00
#1
Jan 12 2015 11:39pm
I have a java app where I am sending an email from a gmail account, but the credentials (username / pw) are currently hardcoded.

What is a safe and easy way to fetch and use the login credentials?



Edit: I'm kinda realizing now that even if the credentials were stored server-side, a hacker could still be able to see the password when it runs through this part of the code.

Code
class GMailAuthenticator extends Authenticator {
String user;
String pw;
public GMailAuthenticator (String username, String password)
{
super();
this.user = username;
this.pw = password;
}
public PasswordAuthentication getPasswordAuthentication()
{
return new PasswordAuthentication(user, pw);
}
}


This post was edited by oOn on Jan 12 2015 11:43pm
Member
Posts: 82
Joined: Nov 11 2014
Gold: 200.00
#2
Jan 13 2015 01:14am
Quote (oOn @ Jan 12 2015 09:39pm)
I have a java app where I am sending an email from a gmail account, but the credentials (username / pw) are currently hardcoded.

What is a safe and easy way to fetch and use the login credentials?



Edit: I'm kinda realizing now that even if the credentials were stored server-side, a hacker could still be able to see the password when it runs through this part of the code.

Code
class GMailAuthenticator extends Authenticator {
    String user;
    String pw;
    public GMailAuthenticator (String username, String password)
    {
        super();
        this.user = username;
        this.pw = password;
    }
    public PasswordAuthentication getPasswordAuthentication()
    {
      return new PasswordAuthentication(user, pw);
    }
}


One option is the use of salting and hashing.

http://en.wikipedia.org/wiki/Salt_%28cryptography%29
http://en.wikipedia.org/wiki/Cryptographic_hash_function
Member
Posts: 62,215
Joined: Jun 3 2007
Gold: 9,039.20
#3
Jan 13 2015 05:05am
Quote (oOn @ Jan 12 2015 11:39pm)
I have a java app where I am sending an email from a gmail account, but the credentials (username / pw) are currently hardcoded.

What is a safe and easy way to fetch and use the login credentials?



Edit: I'm kinda realizing now that even if the credentials were stored server-side, a hacker could still be able to see the password when it runs through this part of the code.

Code
class GMailAuthenticator extends Authenticator {
    String user;
    String pw;
    public GMailAuthenticator (String username, String password)
    {
        super();
        this.user = username;
        this.pw = password;
    }
    public PasswordAuthentication getPasswordAuthentication()
    {
      return new PasswordAuthentication(user, pw);
    }
}


Honestly you might not need any salty hashes, with the Java I usually see, I doubt an attacker would waste his time reading through it.

In all seriousness, don't do your own crypto or security, use a library that does it, salt your hashes definitely, but do it right.

You could do cute stuff like passwordstring.toCharArray(); too, but that isn't going to stop someone who's already on your server.

Look into Bcrypt, in my opinion.

https://www.google.com/search?q=bcrypt+java&oq=bcrypt+java
Go Back To Programming & Development Topic List
Add Reply New Topic New Poll

© 2003-2026 d2jsp  Contact