Secure way to save password in configuration file
I'm developing a desktop application and it required connecting to a remote MySQL database server, currently I save all information (server IP, TCP port, username, password, database name) needed for the connection in a configuration file call
I realize this is not secure way of doing things and I would like to know the most secure and professional way of keeping secure data like this.
I developed it in Java 7.0; my intention is to run it on Windows 7 as well as Ubuntu Linux.
@S.L.Barth I developed it in java 7.0 my intention is to run it in Windows 7 as well as Linux Ubuntu
@Begueradj I developed it in java 7.0 my intention is to run it in Windows 7 as well as Linux Ubuntu
Ok, I've taken the liberty of editing that into your question. BTW if you disagree with edits, you can roll them back. To roll an edit back, click on the "edited ... ago" link. That takes you to the revision history, where you can roll back to a previous version of your post. Meanwhile, good luck, hope you'll get a useful answer!
Use the operating system's password manager rather than store the password yourself. Otherwise there's no proper way, you'll have to keep it clear-text (or some obfuscated, perfectly recoverable equivalent that only provides illusion of security).
You could use ESAPI to encrypt your configuration files. There are some details here: https://www.owasp.org/index.php/How_to_encrypt_a_properties_file
Data stored in a text file stay there in clear format unless you encrypt that file itself.
As the other answerer said, better to store your credentials in the MySQL database itself. Hash and salt your password (and why not using a pepper too?)
Useful links with very good answers:
Following your comments:
- You either want to do the same thing as Wordpress, Joomla and other famous CMS do: create a separate table where you can store such information.
- Or may be you are hosting your web application on a server on which you are limited in order the number of DBs and tables within a DB you are allowed to create: in that case, you can create a PHP configuration file (instead of a text file) where you store that information and follow the good practices in such situations (such as protecting the folder in which this file is located with an
problem is I have to save database credentials outside the database so saving a credentials in a file is the only solution I came up with
When my application starts it read my credential file and establish a connection with database server, all the users credentials are in database table,to establish a connection with database, my application must have a database credentials out side the database