Password control


DevX Home    Today's Headlines   Articles Archive   Tip Bank   Forums   

Results 1 to 10 of 10

Thread: Password control

  1. #1
    Join Date
    Apr 2004
    Posts
    28

    Password control

    Help

    Can someone tell me how i can store usernames and passwords in a file to be cross checked with a logon screens input

    Thanks in advance

  2. #2
    Join Date
    Feb 2004
    Posts
    541
    is it the file structure you're asking about, or the actual reading and writing to files? If you're talking about file structure you could store one username and password pair per line in the file and then read back one line at a time. Seperate the pair using a string tokenizer, and store them in an array. Read them back once when the program starts and then just use them from the array whenever they're needed.

  3. #3
    Join Date
    Apr 2004
    Posts
    28
    Mike thanks again

    I know the theory of how to go about it but I have a major difficulty coding the processes involved. I would be grateful for some sample code which I can work trhrough for better understanding.

  4. #4
    Join Date
    Dec 2002
    Posts
    83
    Like Mike asked, I'm not exactly sure if it's just the I/O process you are wondering about or not. Here is a sample Test class that reads a text file of username and passwords, comma delimited.

    Code:
    import java.util.*;
    import java.io.*;
    
    class Test 
    {
    public static void main(String[] args) 
    {
    	BufferedReader in = null;
    	String[] lineArr = null;
    	String line = null;
    	String username = null;
    	String password = null;
    
    
    	try {
    		in = new BufferedReader(new FileReader("users.txt"));
    		
    		while (in.ready()) {
    			// read the next line
    			line = in.readLine();
    
    			// split the line when a , is found
    			// then assign to 
    			lineArr = line.split(",");
    			username = lineArr[0];
    			password = lineArr[1];
    
    			// do what you want with the username/password here
    			// printing to console for example
    			System.out.println("username = "+username+", password = "+password);
    		}
    
    		// don't forget to close the file!
    		in.close();
    	}
    	catch (FileNotFoundException e) {
    		System.out.println("Could not verify username/password, file not found");
    	}
    	catch (IOException e) {
    		System.out.println("Could not verify username/password, I/O exception");
    	}		
    }
    }
    The users.txt file would be like:
    Code:
    user1,pass1
    user2,pass2
    homestar,athletic
    strongbad,awesome
    thecheat,wydydway
    Obviously, this is about as non-secure as you can get when dealing with passwords. This kind of thing should only be done for practice applications.
    -- Steven

  5. #5
    Join Date
    Apr 2004
    Posts
    8
    How would be this done if the password file was online?

    As in, an URL that people didn't know about?

    I'm having problems trying to do this in swing...

    check thread...

    having problems with URL in java

    thanks!

  6. #6
    Join Date
    Feb 2004
    Posts
    541
    If your file is going to be online then you're going to need to use a URL object. Read here to learn about it, it's a Sun Tutorial so should be pretty good. If your program is meant to be realistic it would still be a bad idea to have the passwords stored in a text file without encryption, even if no one knows the URL to the file. If they find out they have a nice list of all passwords. You might want to consider hashing the strings. This performs a one way operation on the string, such that all identicle strings will be converted to a specific hashcode, but given a hashcode it isn't easy to work back to the string they came from.

  7. #7
    Join Date
    Apr 2004
    Posts
    28
    Thanks for the code however I can understand the code above but need to have a more secure way of bringing it in and also changing it through an edit password form.

    Any code that can do this will be invaluable

  8. #8
    Join Date
    Apr 2004
    Posts
    28
    Has anyone any idea how I make this secure ? I select the username from a combobox and type the password. If the password is ok it takes you to the main screen of my application. if not the program prompts an incorrect password entered. Is it possible to put the passwords in the code and change them once the application is running without writing to a file?

  9. #9
    Join Date
    Feb 2004
    Posts
    541
    it is possible to put the passwords in the code, and to change them while the program is running, but any changes will be lost when the program next starts. That also isn't too secure because if someone decompiles your code they have the list of passwords.

  10. #10
    Join Date
    Dec 2002
    Posts
    83
    Encryption is how you can make it secure. When a user enters a password, be it the first time or for verification, you put it through an encryption. That encrypted string is what you store in your database, or file in this case.

    I've attached a PasswordService class I stole from an article a while ago. It basically does all the encrypting for you. All you have to do is something like this in your code:
    Code:
    String encryptedPassword = PasswordService.getInstance().encrypt(loginForm.getPassword());
    The loginForm.getPassword() in this case is the user-input password.

    I think I modified the PasswordService class slightly. You could find the original article if you want. I think all I added was my own SystemUnavailableException.

    Pasting the PasswordService.java here as well
    Code:
    import java.io.UnsupportedEncodingException;
    import java.security.MessageDigest;
    import java.security.NoSuchAlgorithmException;
    import sun.misc.BASE64Encoder;
    import sun.misc.CharacterEncoder;
    import com.adventurelog.exceptions.SystemUnavailableException;
    
    /**
     * Taken from http://www.devarticles.com/art/1/544
     * 
     * Step 1: The registration servlet will interface with our PasswordService class using this static getInstance() 
     * method. Whenever it is invoked, a check will be made to see if an instance of this service class already exists. 
     * If so, it will be returned back to the caller (registration servlet). Otherwise, a new instance will be created. 
     *
     * Step 2: We are asking Java security API to obtain an instance of a message digest object using the algorithm 
     * supplied (in this case, SHA-1 message digest algorithm will be used. Both SHA and SHA-1 refer to the same thing, 
     * a revised SHA algorithm). Sun JDK includes JCA (Java Cryptography Architecture) which includes support for SHA 
     * algorithm. If your environment does not support SHA, NoSuchAlgorithmException will be thrown. 
     *
     * Step 3: Feed the data:
     * a) convert the plaintext password (eg, "jsmith") into a byte-representation using UTF-8 encoding format.
     * b) apply this array to the message digest object created earlier. This array will be used as a source for 
     * the message digest object to operate on. 
     * 
     * Step 4: Do the transformation: generate an array of bytes that represent the digested (encrypted) password value. 
     * 
     * Step 5: Create a String representation of the byte array representing the digested password value. 
     * This is needed to be able to store the password in the database. 
     * At this point, the hash value of the plaintext "jsmith" is "5yfRRkrhJDbomacm2lsvEdg4GyY=". 
     * 
     * Step 6: Return the String representation of the newly generated hash back to our registration servlet so 
     * that it can be stored in the database. The user.getPassword() method now returns "5yfRRkrhJDbomacm2lsvEdg4GyY=" 
     * 
     * That's all. Your database password data is now encrypted and if an intruder gets a hold of it, 
     * he/she won't have much use of it. Note, you have to consider how you will handle "forgot password" 
     * functionality in this case as you now cannot simply send a password to the user's email address. 
     * (Well, you should not be doing things like that anyway) . Sounds to me like a perfect topic for my next article.
     * 
     */
    public final class PasswordService
    {
      private static PasswordService instance;
      
      private PasswordService() {
      	
      }
    
      public synchronized String encrypt(String plaintext) throws SystemUnavailableException
      {
        MessageDigest md = null;
        try
        {
          md = MessageDigest.getInstance("SHA"); //step 2
        }
        catch(NoSuchAlgorithmException e)
        {
          throw new SystemUnavailableException(e.getMessage());
        }
        try
        {
          md.update(plaintext.getBytes("UTF-8")); //step 3
        }
        catch(UnsupportedEncodingException e)
        {
          throw new SystemUnavailableException(e.getMessage());
        }
        byte raw[] = md.digest(); //step 4
        String hash = (new BASE64Encoder()).encode(raw); //step 5
        return hash; //step 6
      }
      
      public static synchronized PasswordService getInstance() //step 1
      {
        if(instance == null)
        {
          return new PasswordService();
        } 
        else    
        {
          return instance;
        }
      }
    }
    -- Steven

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center
 
 
FAQ
Latest Articles
Java
.NET
XML
Database
Enterprise
Questions? Contact us.
C++
Web Development
Wireless
Latest Tips
Open Source


   Development Centers

   -- Android Development Center
   -- Cloud Development Project Center
   -- HTML5 Development Center
   -- Windows Mobile Development Center