在Java中安全存储密码的最佳实践是什么? [英] What is the best practice for securely storing passwords in Java
问题描述
在Java桌面应用程序中存储密码的推荐方法是什么?
What would be the recommended way for storing passwords in a Java desktop application?
我希望用户只能输入一次credencials而不是再次提示。
I want the user to have the ability to enter the credencials only once and not be prompted again.
在个人项目中,我一直在使用Preferences API,但我认为这与以纯文本(安全方面)存储它没有区别。
On personal projects I've been using the Preferences API, but I'm assuming this is no different than storing it in plain text (security wise).
非常感谢
编辑:
非常感谢您的建议。似乎有一些混乱,毫无疑问,因为我可能没有把问题弄得很清楚...
Many thanks for your suggestions. There seems to be some confusion, no doubt because I might have not made the question very clear...
我会给出一个假设的场景:
I'll give an hypotetical scenario:
假设我正在为远程数据库创建一个简单的前端,该数据库使用用户名/密码创建连接字符串。通常,每次应用程序启动时都会提示用户输入用户名/密码组合。
Say I'm creating a simple front-end for a remote database which creates a connection string with username/password. Normally the user would be prompted to enter the username/password combination each time the application starts.
将密码存储在用户计算机中的最佳方法是什么需要重新输入(在应用程序启动时自动连接)。
What would be the best way to store that password in the user's machine, without the need to re-enter it (connecting automatically upon application start).
一种记住我的功能(我知道这本身并不是一个很好的做法......)
A kind of "remember me" functionality (which I know in itself is not a very good practice...)
EDIT2:
感谢大家的回答。 $ b $bPaŭloEbermann对手头的问题非常有用,Chris Smith的链接很有趣,但我接受了JVerstry的一个,因为密钥库可能是我正在采取的路线。
Thanks for your answers everyone. Paŭlo Ebermann's was very informative about the problems at hand and Chris Smith's link was interesting, but I've accepted JVerstry's one, as keystores might be the route I'm taking.
推荐答案
您可以使用本地密钥库来放置密码而不是密钥。
You can use a local keystore where you could put passwords instead of secret keys.
回答编辑:
Keystores非常适合您的需求。如果您需要额外的保护,可以在用户启动应用程序时要求用户输入一个密码来访问所有密码。然后,您可以使用启动应用程序时使用的一个密码,使用简单的salt-and-stretch方法(生成加密密钥)来保护存储的数据库密码。
Keystores are a perfect fit for your need. If you want extra protection, you could ask the user for one password to access all passwords when he starts the application. Then, you could protect stored database password with a simple salt-and-stretch method (to generate an encryption key) using the one password he used when starting the application.
这篇关于在Java中安全存储密码的最佳实践是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
