I’m looking for a secure process to store a password in a Java client application.
I will use Preferences API to store data client side.
I want my Client to be able to store login information (login and password) to speed up next logins. I don’t want to keep the password clear, so I’ll encrypt it.
Client / Server communication is established over SSL, so I can store keys server-side.
My first proposition is that on successfull login, the server sends the client a key to encrypt his password then store it. Then on next session opening, the client sends his last session id back to server who answers by the decryption key.
This could be using private / public keys or only one key.
I thing it’s not secure as the session id will be stored clear so anyone could decrypt the password…
Any proposition, there must be a classic process for this..?
Thanks in advance !
No way to do it, really. You want the computer to remember a secret so that the user doesn’t have to interact with the system in order to authenticate. You can encrypt the secret and automate the decryption, but that’s still all doable with information on the machine. An attacker with access to local storage will be able to play back whatever scheme you implement and retrieve the password.
A sort of compromise is a keychain system, in which all of the stored passwords for a user are encrypted by a master password which the user produces when he logs in, so he only needs to remember one. But this is out of the scope for a single application.