Storing Passwords in a Web Application
Posted on 2005-05-16
I have a design question that I hope you can answer. We are currently developing a web application based onTomcat/JSP with a MS SQL database.
The data on the database is sensitive and must be kept secure. As the data needs to be read by several people, we have not implemented one-way encryption on the data. Instead we have used anencryption algorithm which is based on a 64 character key.
Our issue is this: Where to store this key and where to store the log on details for the database?
At the moment they are hardcoded into the JSP code. We have considered storing them in a file on the server, but it hits performance to much to be reading data from file every time the user accesses the database.
We also have a question on whether to use one key for all data or to manage seperate keys by record/customer.
I am sure this is not a new problem that we are facing and I turn to you resident experts for guidance.