1

I have got a username & password combo that I will be using to access a secured server via java code.

My idea is to:

  1. Store encrypted credentials externally
  2. Prompt user for the decryption password upon execution
  3. Store the decrypted credentials in a char array directly before use
  4. Connect to DB using the credentials
  5. Replace char arrays with zeros after use

Is this the recommended way of performing this kind of task?

I read that credentials should be stored externally, how should these be stored?

Improve this question
4
  • 1
    The credentials for a database shouldn't be the user's credentials... they should be the credentials for the application that talks to the database. Commented Jan 20, 2016 at 5:14
  • Can you please elaborate? An application will have different credentials compared to a user? Doesn't this still mean these credentials can be stolen and the data on the DB could be leaked? Commented Jan 20, 2016 at 5:52
  • I elaborated on this with my answer, which is not complete, but addresses it somewhat more thoroughly. Commented Jan 20, 2016 at 6:10
  • In terms of the code you've posted here, I'd suggest using the code review website: codereview.stackexchange.com . One thing that jumps out at me immediately, you are using "Random" for your salt, but "Random" is not cryptographically strong. Commented Jan 20, 2016 at 6:18

1 Answer 1

Reset to default
1

There are a couple things that I think are problematic with this description:

  1. You imply that the credentials provided by the user are the credentials for the database. A database typically stores a significantly larger amount of information that what any individual user should have access to. Furthermore, even if you managed to get this right in terms of ensuring that the database's various tables/rows had the correct levels of access, making the end user credentials synonymous with database credentials would greatly hamper any automated server-side processing that needs to be run over user data (e.g. to aggregate statistics, build models, or even to act on the user's behalf in the background where the end user is not present at the screen). Thus, it is far more common (and for the reasons stated, preferable), for the granularity of access enforced by a database to correspond to the access of programs that run in your server environment, with these programs checking end user credentials, instead.

  2. You imply that the server will store the user's password. This is generally an anti-pattern, as storing the password, itself, will open up the user to far greater risk in the event of a compromise (especially if that password has been reused on other services). In general, systems should only store the hash of a password (and salt) -- typically using bcrypt -- that you use to determine a match when the user enters their password, without storing the actual password.

In terms of reducing risk, there are a couple key things to consider:

  1. Segment data and provide layers of indirection where possible. That is, the database should be isolated (think different virtual machine, different OS user) from the applications that talk to it. Authentication credentials should be managed by probably a completely separate database and server application than other data. Programs that need to validate user credentials should never actually see the user credentials or the hashed password, either; they should be given short-lived access tokens that are handed out by the subsystem that does authentication. Etc.

  2. Penetration test, penetration test, penetration test. You will get this wrong the first time. And probably even the second time. Make sure you detect (and fix) these problems before the bad guys detect and exploit them, by regularly getting an independent outsider to pentest.

  3. Automate your testing and QA processes. Tested code is much safer than untested code; if you have unit tests that are run in an automated fashion, you are more likely to catch security gaffes, and you will also be protected from regressions in security-sensitive parts of the code.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Not sure if you fully understand my question. My software needs access to a database to read certain tables. Instead of hard coding the [ip/username/password] of the database, I decided it would be safer to encrypt these details with a password, then anyone who needs to use this software will be provided with the decryption password (users will be limited to about 2 or 3 reliable employees).
Also it is worth noting these employees will not have access to the actual database login information, this is restricted information.
@ChickenFeet that makes sense, assuming that the "user" of your software is really other programs/developers (not the true end-user). I agree with the scheme in general. One slight modification I'd make is that the person who runs the application that talks to this database will probably need more than just credentials to your database (they may also need API keys and other sensitive information). You may want to make retrieving these all part of a similar system; you probably also want separate "development" and "production" versions of the authentication.
Okay great, Thanks for your answers / feedback :)
Should I still be using a salt in this circumstance?
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.