I was thinking about the requirements of my first term gsoc project,
the generic password storage. Here are some of my thoughts:
1. Select a Java utility that we’d be able to use for storing passwords
I'm not sure what exactly we are looking for. Java has a default
security provider implementing JCE that can do things like encryption
and decryption, there are other security providers (like BouncyCastle)
that have more algorithms, and then there are libraries (for example
jasypt) that simplify these processes to some extent. But in any case,
some kind of persistent storage is still required, a database or
We could use the following scenario (very similar to what firefox
uses, for example):
The user starts SC. If any (encrypted)saved account passwords are
found in the configuration and the master password is set, a master
password input dialog is presented to the user. If the master password
is not set, then we can use some default hard coded password (or
nothing at all?). The saved accounts' passwords are decrypted with the
master password. When adding new account passwords to be remembered,
the master password input is also presented. The encrypted account
passwords could be stored in the same configuration property as
3 and 2. Define and implement CredentialsStorageService.
Seems straightforward at the moment. An interface for doing all the
things described above is required.
4. Change all existing protocol implementations to use the above service
Actually all protocol implementation extend the abstract
ProtocolProviderFactory that handles accounts and passwords, so all
the changes should be in one place.
5. Password migration: provide a transition utility that would migrate
passwords currently stored in one’s configuration file to the new
utility. The utility would need to do this automatically without
bothering the user.
This could potentially be tricky. SC needs to somehow detect that the
new system is in use and convert everything. Another possibility is to
convert everything only when setting/updating the master password,
since if the master password is not set, there's no real security
Hope to hear some comments/suggestions.