Technique to securely store and display credentials

Questions and answers on designing your Servoy solutions, database modelling and other 'how do I do this' that don't fit in any of the other categories

Technique to securely store and display credentials

Postby robrecht » Wed Oct 30, 2024 11:23 am

What would be a good technique to partially display and store sensitive information like passwords or api keys?

In "browse" mode: show the decrypted value from database like a*********123
In "edit" mode: possibility to change this value. Ofcourse I want to avoid that when going in edit mode, the actual credential is fully shown just by having linked the dataprovider to that field

I am looking for a generic approach, we have dynamic forms that might contain these fields, so really working with events to show/hide fields or to work with local variables masking the values is not the preferred way

Thanks!
robrecht
 
Posts: 101
Joined: Wed Aug 01, 2012 4:30 pm

Re: Technique to securely store and display credentials

Postby mboegem » Wed Oct 30, 2024 3:23 pm

You could use a form variable for this?
In the onShow/onRecordSelection you can set this value to 'a*******123'
In edit mode it will show the same, if you start typing you can see the credentials (or set the field type to display type 'password')
Then use the onDataChange to write a newValue into the actual column.

Personally I would never expose any character of sensitive information nor indication of the length.
Anything will help unauthorised people to know the actual data.

Hope this helps
Marc Boegem
Solutiative / JBS Group, Partner
Servoy Specialist
• Servoy Certified Developer
• Servoy Valued Professional
• Freelance Developer

Image
User avatar
mboegem
 
Posts: 1812
Joined: Sun Oct 14, 2007 1:34 pm
Location: Amsterdam

Re: Technique to securely store and display credentials

Postby robrecht » Wed Oct 30, 2024 9:18 pm

Hi Marc,

Thank you for the answer.

You might be right about exposing any information about sensitive information.
I was somehow hoping on a solution serverside like "onRender" that masks the information sent to the client in a way that I don't have to worry about datachange, locals, etc
Server => client: mask the value, maybe even like *****
Client => server: act live a normal textbox with a dataprovider

Thanks
Robrecht
robrecht
 
Posts: 101
Joined: Wed Aug 01, 2012 4:30 pm

Re: Technique to securely store and display credentials

Postby sbutler » Sun Nov 03, 2024 5:44 pm

For user passwords, you should never store them, only store a salted hash of the passwords. Then you salt and hash the user input and compare it to stored salt/hashed version to see if it matches.

For other stuff like API Keys or passwords to external things, if you must store it in your database, then you could also consider a global method column converter on the column. So you store it blowfish encrypted in the db, display it like ***123 via decrypting it and masking it, and then when the user edits it, you check if its masked, and if not assume a new value, and then re-encrypt it and store it which would make it re-render with the masked value. Mark's suggestion of form variable also works.
Scott Butler
iTech Professionals, Inc.
SAN Partner

Servoy Consulting & Development
Servoy University- Training Videos
Servoy Components- Plugins, Beans, and Web Components
Servoy Guy- Tips & Resources
ServoyForge- Open Source Components
User avatar
sbutler
Servoy Expert
 
Posts: 768
Joined: Sun Jan 08, 2006 7:15 am
Location: Cincinnati, OH


Return to Programming with Servoy

Who is online

Users browsing this forum: No registered users and 17 guests