Hi!

I'm building a program which connects to a MySQL server. The program saves the server passwords in SHA format. There's one class responsible for converting and checking the passwords, and another one for DB connection. Now, when the user starts the program, (s)he types in the username and password. The login checker converts the password to SHA and checks if it matches the earlier string. If it does (and the username is ok, of course), then the DB class will make the connection.

The problem here is, how should I deliver the password from the login checker to the DB connection? making a public method like getPassword() seems quite icky. I was thinking of using getEncryptedPwd() method which would return the SHA string of the password, but I can't find a way to use that to connect to the server.

At the moment, my connection is done like this:

String url = "jdbc:mysql://host:port/dbname?user=username&password=pwd";
Connection con = DriverManager.getConnection(url);

So, is there a way to use the SHA string in the connection? If there isn't, what would be the most secure way to get the username and password from one class to another?

Thanks and cheers! :)

AFAIK, there is no standard way of sending encrypted passwords to the database. Why does passing data between validation code to the db connection code seem icky; after all, it's just in-memory transient plain text data that you are passing between classes and not something you are writing out to the file system.

If you end motivation is over the wire security (making sure that no one tampers with the password sent over the wire in plaintext), you can configure MySQL to accept SSL connections (at least this is what this article says). One thing to look out for is to confirm whether this SSL connection is a single time connection used only for grabbing the Connection or does it also encrypt all the communication which follows by using that Connection object since SSL has a distinct overhead when compared to normal socket communication.

My server is at the university, so all the network connections made are tunneled via SSH. My concerns are about the in-memory security. One could grab the password using some kind of RAM dump. Although, one can easily figure it out from the password entry, if the program starts working with that...

This article has been dead for over six months. Start a new discussion instead.