1

I have to store password to some other system in config file in my Java application (web app running on Tomcat). What are my options to protect it (both at rest and in memory)? (Hash is not an option)

at Rest: if I will encrypt the password in config file, where will I store a key? in other config file? doesn't sounds right...I don't want to hardcoded it in the code.

in Memory: I read that I shouldn't use String but char[], but still if somebody will dump the memory he will have the password. Does Java have something like SecureString in .Net?

Thank you

Aaron_S
  • 11
  • 1
  • 4
  • 4
    Possible duplicate of [What is the best way to store password in memory (RAM) in Java?](http://security.stackexchange.com/questions/73637), [Storing password in Java application](http://security.stackexchange.com/questions/19956), [Securely store password for Java Keystore](https://security.stackexchange.com/questions/147588), [Secure way to save password in configuration file](http://security.stackexchange.com/questions/102677). If you feel that your problem is not handled by these question please make clear how it differs from these. – Steffen Ullrich Jan 15 '17 at 08:30

1 Answers1

0

Your saving password is a duplicate question. If someone rings up your java application , it is better to get required password(s) by user or system admin who is responsible for the application run.

After you get the password . Never save it as a string. Because stings in Java are immutable and you do not have any control of those memory blocks (only JVM along with GC does). Try to store them in char[] in memory and do not use toString().

If you are dealing with a UI do not use methods such as getText() to retrieve a password. Use getPassword() method in JPasswordField as an exmaple.

user3496510
  • 1,257
  • 2
  • 12
  • 26