Tag: password
obov v1.1.0 released
by ricardoz on Aug.04, 2008, under Security
A new version of obov is available for download. Some nice new features were added:
- Methods to generate passwords using the HMAC-SHA1 algorithm
- A handy utility method to generate secret keys (seeds) based on any given string
Go get it!
obov v1.0.0 released
by ricardoz on Jun.27, 2008, under Security
obov stands for OATH Based OTP validator. It’s a 100% pure Java library that provides simple to use methods to validate (and related utilities) one time passwords generated by OATH compliant devices.
(continue reading…)
Authenticate users using i5/OS (AS400) credentials
by ricardoz on May.12, 2008, under Security, Tips
The folks at IBM have a nice API to use i5/OS (AS400) stuff from Java code. Check it out at http://www-03.ibm.com/systems/i/software/toolbox/index.html.
What I particularly find very useful and have used often is to validate user names and passwords with the AS400 authentication services. The following code validates a userName and password.
(continue reading…)
Authenticating users using Unix or Windows credentials
by ricardoz on Apr.22, 2008, under Security, Tips
It’s usually very nice, and sometimes a requirement, to validate usernames and passwords using existing credentials. And in most situations big frameworks or single sign-on systems are just damn overkill and complex.
If you need to check your users credentials via an existing Unix system (that supports PAM) or a Windows domain controller check out (continue reading…)
Encrypting sensitive information in persistent media
by ricardoz on Apr.06, 2008, under Articles, Security
If you ever deployed an application in a corporate environment, where an IT Security officer likes to keep a tight leash on who knows each system password, you probably needed to figure out some sort of security mechanism to store the passwords your application needs to connect to some database, access a web service, etc.
The most obvious and straightforward approach is to use a symmetric algorithm, like 3DES or AES, with an encryption password hard coded in your application to decrypt/encrypt the sensitive credentials. This has several cons:
- Anyone with access to the source code of the application can decrypt all sensitive data, ie you can’t guarantee the security officer that someone from your team/company won’t abuse this
- Anyone with access to the binary files of the application and a good de-compiler can decrypt all sensitive data, ie the security officer can’t even trust his IT production staff
- To change the encryption password you have to re-deploy the application
And these are just the 3 most important issues that come to mind in 5 minutes…
