Encrypt a password in a preferences/properties file - Java

Question

I'm no expert in cryptography, cracking passwords and security. I need to store in the preferences a password and username for a SQL server that I'll use to connect the client to the SQL server.

I've been reading around, mostly here in SO but most of them are older than 2 years and we all know the security world is changing on a fast pace.

From what I read, I came to the conclusion that most people suggest hashing the password using SHA-XXX and/or recommend using jasypt to encrypt and decrypt the password

So my question is what is the most secure way to protect passwords in a preferences file? Can I just use SHA-512 with salt and save the salt in the preferences file as well? Is this safe?

Answer 1

It seems like you want to later decrypt and use that passwort to authenticate to the server. This means you can't hash it - hashing is good if you want the user to enter the password and then check if it is correct, but you cannot decrypt a hashed password to present it to the server.

Since your application will need to be able to decrypt the password to use it, an attacker that gains access to the configuration file will be able to decrypt the password the same way your application does it. No matter what you do, you can only make it more annoying to get the password (i.e. obfuscation/security by obscurity).

Steps you can take (program names that take that approach in braces):

• Encrypt it in some proprietary way. It doesn't need to be secure, because no matter what you do, it won't. If someone bothers to find out how you did it, they can write a tool that will show the password. There is nothing you can do about that. You are only protecting against casual reading, and even a simple XOR is good enough for that. (Miranda)
• Encrypt it using some proper encryption (again, don't worry too much about it, you're only using it because it is easier than doing it yourself) using a static key (anyone who gets the key will be able to decrypt it).
• Encrypt it using some proper encryption and a random key and store the key next to the password. (Firefox)
• Encrypt it using some proper encryption using a key derived from some data that change across systems (e.g. the user or system SID on Windows). This has the advantage that if someone steals the config (and nothing else) and later tries to decrypt it, he can't. This has the disadvantage that copying a config file to another installation will break the password, so you need to handle that case.
• Not encrypt it to avoid giving a false kind of security. (Pidgin)
• Storing the password in some kind of OS-provided wallet/credential manager (Windows credential manager, Gnome keyring, KDE wallet)