Securely Saving Passwords in a Configuration File

I’m developing a desktop application and it requires connecting to a remote MySQL database server. Currently, I save all the information needed for the connection, including the server IP, TCP port, username, password, and database name, in a configuration file called app_config.property. However, I realize that this is not a secure way of storing sensitive data.

Data stored in a text file stay there in plain format unless you encrypt that file itself. As a more secure alternative, consider storing your credentials in the MySQL database itself. Hash and salt your password to further enhance security.

Here are some useful links with more information on securely hashing passwords, storing salt, and the purpose of a pepper:

  1. How to securely hash passwords?
  2. How to store salt?
  3. What is the purpose of a Pepper?

EDIT:

Following your comments:

  • If you want to do the same thing as WordPress, Joomla, and other famous CMS do, create a separate table where you can store such information.
  • If you are hosting your web application on a server with limitations on the number of databases and tables you can create, consider creating a PHP configuration file instead of a text file. Ensure that you follow good practices, such as protecting the folder in which this file is located with an .htaccess file.

Leave a Reply

Your email address will not be published. Required fields are marked *