Re: Security

David Brownell (David.Brownell@Eng)
Tue, 20 Jan 1998 16:53:59 -0800

Date: Tue, 20 Jan 1998 16:53:59 -0800
From: David.Brownell@Eng (David Brownell)
Message-Id: <199801210053.QAA29957@argon.eng.sun.com>
To: java-security@web2.javasoft.com, Reszo@aol.com
Subject: Re: Security

What can keep this from happening is not to do this!!

As a rule of thumb, keeping unencrypted passwords is a
bad idea. They can be hashed using a one-way function,
as is done in the UNIX password scheme.

But if you "must" keep them, don't put them someplace
that they'll be downloadable from your web site. This
is true for any system ... it's not specific to Java.

- Dave

> From Reszo@aol.com Mon Jan 19 07:48:17 1998
> From: Reszo <Reszo@aol.com>
> Date: Mon, 19 Jan 1998 10:42:13 EST
> To: java-security@web2.javasoft.com
> Subject: Security
>
> If you have strings of a password stored in a class file, it is visible if
> someone downloads it and views it through a text editor. if someone saves the
> html and edits it, they can find out the location of the java file. If they go
> to the java file, they can download it and edit it. What can keep this from
> happening?
>