Login from textfile

[abcat]

Hi,

I am interested to do a login form from a text file, however, there is security issue where by user can open up the textfile and read the data, I wonder is there any way for me to encrypt the text file and read by java.

In addition, is there any other issue to consider as in hide the text file etc.?

[oceanebelle]

I am not familiar with cryptography but in my simple mind,
I'd say create an app that creates the text file whose contents are encrypted,
and then your login form decrypts it.

since you make the encryptor and decryptor, say in java, then there should be no problem.

You could create your own encrypt/decrypt algorithm or you can use whatever is freely available.

It reminds me of Lotus notes login. Each person is given this file which is encrypted. The person points to this file whenever he wants to login.

the program that created the file is the same as the program that reads/analyses the file.

[oceanebelle]

Hi,

I am interested to do a login form from a text file, however, there is security issue where by user can open up the textfile and read the data, I wonder is there any way for me to encrypt the text file and read by java.

In addition, is there any other issue to consider as in hide the text file etc.?

The security issue only arises when the person that's inspecting the file knows what to do with the file and what's in it.

Obviously you won't want your login file key to be in clear text.

It shall be your responsibility to make it as secure as you can. The hackers can only guess.

[ComputerJy]

hmm, so to get this straight.. I need a file to login to your service, application website.. etc.

Ok, have you considered interception? What if someone copied the file, can they use my account? Or is the file password protected or using key-based encryption? If so, why bother with the file the first place.. just use a password

[manavo11]

If you want to store the passwords in the file, then you definitely have to encrypt the passwords (maybe even the usernames as well).

Since a textfile is something that anyone can open and edit, you have to make sure that no one can open it, add a simple username/password pair and be able to login to your system.

I'd suggest making the textfile contain the hash of the username and the hash of the password. This way, it's not something reversible (if someone opens the textfile, they can't extract any information).

So if you look around for implementations of algorithms such as MD5 or SHA-1, you can write in the textfile the hashes of the username and password, and when someone tries to login you can hash the username, hash the password, and see if you can find a matching pair in the text file.

(Of course, if someone realises you are using MD5 to calculate the hashes they can obviously calculate their own hashes and add them to the textfile, but there's only so much you can do with a textfile)

[manavo11]

Another thing you could do is append something to the password before you encrypt it. Some key that only you know and the user that wants to calculate their own hash won't know. So during registration you'll do:

-Hash(Password+SecretCode)
-Save hash to file

And during login you'll do:

-Hash(WhateverTheUserEnteredAsAPassword+SecretCode)
-Compare with the existing hashes

So this means that nobody can add a hash to the textfile externally. Makes it a bit better