RE: [SC-L] Re: Application Insecurity --- Who is at Fault?

2005-04-11 Thread Chris Matthews
Dave Paris wrote: It's also much more likely that the foreman (aka programming manager) told the builder (programmer) to take shortcuts to meet time and budget - rather than the programmer taking it upon themselves to be sloppy and not follow the specifications. I'd note that there is the

RE: [SC-L] Java keystore password storage

2005-04-25 Thread Chris Matthews
1) storing it in the code - obviously not. I concur :) 2) storing it in a seperate config file is also not secure. Definitely a possibility. The question now becomes: is this secure enough? (filesystem permissions, mitigating the problem to the level of the system administrators). 4)

RE: [SC-L] Java keystore password storage

2005-04-26 Thread Chris Matthews
David Crocker wrote: I'm by no means an expert in the field of security and Java, but I believe that the usual technique is to encode the password that the user types using a 1-way hashing algorithm, then store (and hide/protect) the encoded version and use that as the password. If an attacker