In the login service, a user is posting a json as payload to a Spring RESTful login service like below:
{
"username": "john",
"password": "doe"
}
Once the Spring RESTful service receives the call, it compares the password with the one store in the database in plain text.
I see two problems in the current implementation.
For issue 2, I decided to use bcrypt to encrypt the password stored in the database as mentioned in this post. Is this a good way?
For issue 1, I don't know if there is a best practice for it. Can some one share your insigts? Thanks!
Edit:
Sorry that I forgot to mention that the client and server talks through HTTPS. And the password is sent in POST payload.
In this case, the solution to issue 2 (store bcrypted correct password) in the database is okay, right?
What about in issue 1, in this case, the password can be sent in the post payload in plain text?
The REST service is stateless and the user has to authenticate upon each request. Hence the username and password will be sent in clear format to the REST service. The backend will hash the password and check against the existing hashed password in the database.
Instead of using just the password as input to the hash function, random bytes (known as salt) would be generated for every users' password. The salt and the user's password would be ran through the hash function which produced a unique hash. The salt would be stored alongside the user's password in clear text.
There is no reason to encrypt passwords. It's a bad idea. They should be hashed and preferably salted. In case someone stoles your database, it'll be harder to compromise your users' passwords.
How to securily store passwords.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With