Secure way to save password in configuration file

  • I'm developing a desktop application and it required connecting to a remote MySQL database server, currently I save all information (server IP, TCP port, username, password, database name) needed for the connection in a configuration file call app_config.property.
    I realize this is not secure way of doing things and I would like to know the most secure and professional way of keeping secure data like this.

    I developed it in Java 7.0; my intention is to run it on Windows 7 as well as Ubuntu Linux.

    Where will you store the encryption key to decrypt the information?

    Which OS are you using? IIRC in .NET there are some options for this.

    @S.L.Barth I developed it in java 7.0 my intention is to run it in Windows 7 as well as Linux Ubuntu

    @Begueradj I developed it in java 7.0 my intention is to run it in Windows 7 as well as Linux Ubuntu

    Ok, I've taken the liberty of editing that into your question. BTW if you disagree with edits, you can roll them back. To roll an edit back, click on the "edited ... ago" link. That takes you to the revision history, where you can roll back to a previous version of your post. Meanwhile, good luck, hope you'll get a useful answer!

    @S.L.Barth Your editing is helpful to improving the question,i appreciate you help

    Use the operating system's password manager rather than store the password yourself. Otherwise there's no proper way, you'll have to keep it clear-text (or some obfuscated, perfectly recoverable equivalent that only provides illusion of security).

    You could use ESAPI to encrypt your configuration files. There are some details here: https://www.owasp.org/index.php/How_to_encrypt_a_properties_file

  • user45139

    user45139 Correct answer

    6 years ago

    Data stored in a text file stay there in clear format unless you encrypt that file itself.

    As the other answerer said, better to store your credentials in the MySQL database itself. Hash and salt your password (and why not using a pepper too?)

    Useful links with very good answers:

    1. How to securely hash passwords?
    2. How to store salt?
    3. What is the purpose of a Pepper?

    EDIT:

    Following your comments:

    • You either want to do the same thing as Wordpress, Joomla and other famous CMS do: create a separate table where you can store such information.
    • Or may be you are hosting your web application on a server on which you are limited in order the number of DBs and tables within a DB you are allowed to create: in that case, you can create a PHP configuration file (instead of a text file) where you store that information and follow the good practices in such situations (such as protecting the folder in which this file is located with an .htaccess file)

    problem is I have to save database credentials outside the database so saving a credentials in a file is the only solution I came up with

    When my application starts it read my credential file and establish a connection with database server, all the users credentials are in database table,to establish a connection with database, my application must have a database credentials out side the database

    @dilee You can create a separate table in your DB called for example where you store the credentials and other info (Wordpress does the same, then it reads that table via `wp-config.php` file)

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM