1

在我的 Java 应用程序开始时,我让用户输入他的用户名和密码。这些凭据存储在 ConnectionKey 对象中,该对象在应用程序对 Web 服务进行查询时使用。每个查询都需要有效的用户名和密码。此外,这些查询会在应用程序的整个生命周期中执行。

现在,我将用户密码作为简单的字符串存储在 ConnectionKey 中。我知道这是非常不安全的,我想通过某种加密使其更安全。但是,我需要能够检索原始用户密码才能查询此 Web 服务。

  • 如何安全地存储用户密码,同时在整个应用程序中仍使用此密码?

谢谢!

编辑

ConnectionKey 只是一个像这样的类:

class ConnectionKey {

    private final String user;
    private final String pass;
    private final String server;

    public ConnectionKey(String user, String pass, String server) {
         this.user = user;
         this.pass = pass;
         this.server = server;
    }

}
4

1 回答 1

0

To begin with, I am sure that you read the following question on SO Why is char[] preferred over String for passwords? Which implies that if you have plain password, at least be it a char[] not String

Other than that, to securely store a user password, you should encrypt it with a well-known, well-tested (and usually one-way) encryption algorithm.

This maybe contradicts with what you asked and how you use ConnectionKey, but the problem is easy encrypt your password and change your api/methods where password is used.

For example, if you are trying to validate a ConnectionKey on the server side, change that method to work with encrypted passwords, that is, use the same encryption algorithm for the known password and compare it with the incoming encrypted one.

于 2013-04-04T22:13:30.583 回答