In secure software design, avoid storing passwords in plaintext. Instead, employ hashing and encryption techniques to safeguard sensitive information.
Migrate credentials from Strings to character arrays. Strings are immutable, leaving data susceptible to exposure before cleanup. Character arrays, on the other hand, can be cleansed immediately.
Encrypt credentials while preserving the original hash for security. Decrypt credentials only during the authentication process. It's advisable to avoid hard-coding credentials and instead store them securely, such as in encrypted configuration files.
Implement TLS or SSL to encrypt data transmission between client and server. This protects credentials from eavesdropping.
Apply obfuscation techniques to prevent malicious parties from accessing security measures even in the event of decompilation. Obfuscation makes it harder for attackers to uncover vulnerabilities.
The following code snippet illustrates encrypting and decrypting credentials:
import javax.crypto.Cipher;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.PBEParameterSpec;
public class SecureCredentials {
private static final char[] PASSWORD = "YourEncryptionKey".toCharArray();
private static final byte[] SALT = {
(byte) 0xde, (byte) 0x33, (byte) 0x10, (byte) 0x12,
(byte) 0xde, (byte) 0x33, (byte) 0x10, (byte) 0x12
};
public static void encrypt(char[] property) throws Exception {
SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("PBEWithMD5AndDES");
SecretKey key = keyFactory.generateSecret(new PBEKeySpec(PASSWORD));
Cipher pbeCipher = Cipher.getInstance("PBEWithMD5AndDES");
pbeCipher.init(Cipher.ENCRYPT_MODE, key, new PBEParameterSpec(SALT, 20));
// Encrypt and save to temporary storage
String encrypted = Base64.encodeBytes(pbeCipher.doFinal(property));
// Cleanup data sources
for (int i = 0; i < property.length; i++) {
property[i] = 0;
}
property = null;
System.gc();
// Return encryption result
return encrypted;
}
public static String decrypt(String property) throws Exception {
SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("PBEWithMD5AndDES");
SecretKey key = keyFactory.generateSecret(new PBEKeySpec(PASSWORD));
Cipher pbeCipher = Cipher.getInstance("PBEWithMD5AndDES");
pbeCipher.init(Cipher.DECRYPT_MODE, key, new PBEParameterSpec(SALT, 20));
return new String(pbeCipher.doFinal(Base64.decode(property)));
}
// Usage example
public static void main(String[] args) {
try {
char[] password = "MySecurePassword".toCharArray();
String encryptedPassword = encrypt(password);
String decryptedPassword = decrypt(encryptedPassword);
System.out.println("Original Password: " + String.valueOf(password));
System.out.println("Encrypted Password: " + encryptedPassword);
System.out.println("Decrypted Password: " + decryptedPassword);
} catch (Exception e) {
e.printStackTrace();
}
}
}The above is the detailed content of How to Securely Store User Credentials in Software?. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
