I use jsp and servlets in my web application. i need to store passwords in the database. I found that hashing will be the best way to do that. I used this code to do it.
<%@page import="com.jSurvey.entity.*" %>
<%@page import="java.security.MessageDigest" %>
<%@page import="java.security.NoSuchAlgorithmException" %>
<%@page import="java.math.BigInteger" %>
<%@page import="com.jSurvey.controller.*" %>
<%@page import="sun.misc.BASE64Encoder" %>
<%try {
String user = request.getParameter("Username");
String pass = request.getParameter("Password1");
String name = request.getParameter("Name");
String mail = request.getParameter("email");
String phone = request.getParameter("phone");
String add1 = request.getParameter("address1");
String add2 = request.getParameter("address2");
String country = request.getParameter("country");
Login login = new Login();
Account account = new Account();
login.setId(user);
login.setPassword(pass);
if (!(add1.equals(""))) {
account.setAddress1(add1);
}
if (!(add2.equals(""))) {
account.setAddress2(add2);
}
if (!(country.equals(""))) {
account.setCountry(country);
}
account.setId(user);
account.setMail_id(mail);
if (!(phone.equals(""))) {
account.setPhone_no(Long.parseLong(phone));
}
account.setName(name);
java.security.MessageDigest d = null;
d = java.security.MessageDigest.getInstance("SHA-1");
d.reset();
d.update(pass.getBytes("UTF-8"));
byte b[] = d.digest();
String tmp = (new BASE64Encoder()).encode(b);
account.setPassword(tmp);
account.setPrivilege(1);
LoginJpaController logcon = new LoginJpaController();
AccountJpaController acccon = new AccountJpaController();
logcon.create(login);
acccon.create(account);
session.setAttribute("user", user);
response.sendRedirect("dashboard.jsp");
} catch (NumberFormatException ex) {
out.println("Invalid data");
}
%>
When i tried to print the value of tmp, i get some other value.i guess its the hash value of the password. But when i persist this data to the database the original password gets saved there other than the value in tmp..
I am using java derby as the database.
What is the problem???
The password entered by user is concatenated with a random generated salt as well as a static salt. The concatenated string is passed as the input of hashing function. The result obtained is stored in database. Dynamic salt is required to be stored in the database since it is different for different users.
Encrypted passwords In some cases, passwords are stored in a database after being encrypted by a reversible algorithm (rot13, mask encryption…).
Try using a desktop application like KeePassXC. It stores encrypted versions of all your passwords into an encrypted digital vault that keeps you secure with a master password, a key file, or both.
Apache has a commons library, namely Commons Codec, that makes it easier to encode the password. It will do the entire job for you.
import org.apache.commons.codec.digest.DigestUtils;
String pw = DigestUtils.sha256Hex(password);
Or if you want base64:
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.codec.binary.Base64;
byte[] pwBytes = DigestUtils.sha(password);
String b64Pass = Base64.encodeBase64String(pwBytes);
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With