Hello, oh knowledgeable ones. In need of a bit Java help.

I'm currently putting the finishing touches to my Final Year Project for University, but I'm having trouble with one aspect.

When my program initialises, it requests the user to enter a password before they can then use the rest of the system.

In it's most basic form, the method simply matches the users input to a String and checks they're equal.

E.g.
String password = "password"
if(password.equals(userInput))
startProgram
else
requestPasswordAgain();

I have this working fine.

However, in my program I want to be able to give the user the option of changing the password, but I don't know of a way of making this change permanent. I can do:

password = newPassword;

But when the program is restarted, the password String will obviously go back to its default of "password".

Short of writing the password to an external file and encrypting it, I don't know how to make this work.

Any ideas? Thanks in advance.

 

My knowledge of Java is a large empty void but assuming that in java you can work with external files (which most probably you can) just save the password in a file and if the user wishes to change it save the new password in that file. Of course, this leads to the problem of the user opening the file and getting the password.

To overcome that you need to use any encryption mechanism, like in PHP one uses md5 to encode and then save the password. Basically

Code:

password = getencryptedpasswordfromfile
password2 = encrypt(password from user)
if (password == password2) { 
start program
}

for changing password

Code:

newpassword = encrypt(passwordgivenbyuser)
put the value of newpassword into the file.

 

1) How are you saving the password if not in an external file?

2) Don't encrypt, use a salted hash (btw Deoxys, there is a difference). And while you can use MD5 as your hashing function, there are better alternatives.

 

The password is simply a String variable in the program. It is set to 'password' as default. When the user inputs the password, the program checks to see if the two Strings are equal. I was planning on just having the program change the variable when the user changes the password, but of course, when the program is re-run, the String goes back to its default password. I've been trying to find a solution without using an external file, but I don't think there is one.

I'll check it out, thanks.

 

What you can do instead of writing the password to an external file is that you can link up your program to a back-end database and store the contents of the string reference variable in there. That will suitably take care of the security factor.

 

Seems stupid to use a database for such a simple program. There is no way to do what you want to do. Variables cannot be stored in a Java executable alone you have to use an external text file.

 

My point exactly. Using a database is a lot of hassle when you can put a few values in a config.txt file. (any other settings that user might want to change like resolution and stuff)

And yes I know the difference between salt and md5. I was just putting out an idea.

Hijacking the topic, I have a little bit knowledge of C++ and none at all for Java. I currently want to learn either Java or C#.

Which is a better choice?

 

Depending on how secure you require your password to be, you could always just write it to a regular file, but add 1 random bit before your password (Google BitOutputStream). This will cause any application that opens your data and tries read it to display a nice selection of obscure ASCII characters instead of your password. So long as you don't call the file 'password' it shouldn't be too obvious whats going on to the casual user.

Beats having to use Javas ass backwards (imo) security classes at any rate.

 

:facepalm ...I don't know how to respond to this.

Edit: Okay, I'll elaborate. I meant that there is a difference between encryption (e.g. RSA) and hashing (e.g. MD5 or SHA-1/SHA-2). In this context, the latter refers to one-way hashing, which is what you'd want to use for password checks. Salts are just random strings of data you concatenate with passwords before hashing.

 

Security through obscurity is not security.

 

Haha, while i appreciate your point I think for a non commercial final year project with presumably made up test data if any, it might just about suffice.

Ps. Security through only obscurity is not security.