I am writing an Java application that is using OAuth to authentificate against a server API. The server is offering the OAuth secrets for users to copy from its website.
Because each request needs the secrets I wanted to store them in a password protected file with a new password so they don't have to be entered every time.
In addition to that the user should have to enter this new password only once each session so it has to be stored somehow.
Is it safe to keep the password for the secret file in memory during the whole user session? What are possible dangers of doing so?
Asked
Active
Viewed 486 times
1
Simoon
- 11
- 2
-
2From your description you don't need to store the password, just the tokens returned from the OAuth authentication request. I would recommend re-wording your question, because it is not about passwords, it is about OAuth tokens. – Scott Chamberlain Mar 21 '16 at 16:24
-
I didn't mean the user's password for the API's service but a new, local password which is only used for de/encrypting the file containing the secrets – Simoon Mar 21 '16 at 16:39
-
1@ScottChamberlain, replace "password" with "random cryptographic key" and then you see what the OP is meaning. As for the actual question: standard dangers of software based encryption apply, no more no less. (-> ensure the key never gets swapped out to the drive and hope the attacker doesn't have root access and you should be fine) – SEJPM Mar 21 '16 at 17:20