Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

how to store passwords in database?

I use jsp and servlets in my web application. i need to store passwords in the database. I found that hashing will be the best way to do that. I used this code to do it.

                <%@page import="com.jSurvey.entity.*"    %>
    <%@page import="java.security.MessageDigest" %>
    <%@page import="java.security.NoSuchAlgorithmException" %>
    <%@page import="java.math.BigInteger" %>
    <%@page import="com.jSurvey.controller.*" %>
    <%@page import="sun.misc.BASE64Encoder" %>
    <%try {
                    String user = request.getParameter("Username");
                    String pass = request.getParameter("Password1");
                    String name = request.getParameter("Name");
                    String mail = request.getParameter("email");
                    String phone = request.getParameter("phone");
                    String add1 = request.getParameter("address1");
                    String add2 = request.getParameter("address2");
                    String country = request.getParameter("country");
                    Login login = new Login();
                    Account account = new Account();

                    login.setId(user);
                    login.setPassword(pass);
                    if (!(add1.equals(""))) {
                        account.setAddress1(add1);
                    }
                    if (!(add2.equals(""))) {
                        account.setAddress2(add2);
                    }
                    if (!(country.equals(""))) {
                        account.setCountry(country);
                    }
                    account.setId(user);
                    account.setMail_id(mail);
                    if (!(phone.equals(""))) {
                        account.setPhone_no(Long.parseLong(phone));
                    }
                    account.setName(name);
                    java.security.MessageDigest d = null;
                    d = java.security.MessageDigest.getInstance("SHA-1");
                    d.reset();
                    d.update(pass.getBytes("UTF-8"));
                    byte b[] = d.digest();
                    String tmp = (new BASE64Encoder()).encode(b);

                    account.setPassword(tmp);
                    account.setPrivilege(1);
                    LoginJpaController logcon = new LoginJpaController();
                    AccountJpaController acccon = new AccountJpaController();
                    logcon.create(login);
                    acccon.create(account);
                    session.setAttribute("user", user);
                    response.sendRedirect("dashboard.jsp");
                } catch (NumberFormatException ex) {
                    out.println("Invalid data");
                }
    %>

When i tried to print the value of tmp, i get some other value.i guess its the hash value of the password. But when i persist this data to the database the original password gets saved there other than the value in tmp..

I am using java derby as the database.

What is the problem???

like image 224
rgksugan Avatar asked Jun 03 '10 06:06

rgksugan


People also ask

How passwords are stored in the database?

The password entered by user is concatenated with a random generated salt as well as a static salt. The concatenated string is passed as the input of hashing function. The result obtained is stored in database. Dynamic salt is required to be stored in the database since it is different for different users.

Can we store encrypted password in a database?

Encrypted passwords In some cases, passwords are stored in a database after being encrypted by a reversible algorithm (rot13, mask encryption…).

Where is the safest place to store passwords?

Try using a desktop application like KeePassXC. It stores encrypted versions of all your passwords into an encrypted digital vault that keeps you secure with a master password, a key file, or both.


1 Answers

Apache has a commons library, namely Commons Codec, that makes it easier to encode the password. It will do the entire job for you.

import org.apache.commons.codec.digest.DigestUtils;

String pw = DigestUtils.sha256Hex(password);

Or if you want base64:

import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.codec.binary.Base64;

byte[] pwBytes = DigestUtils.sha(password);
String b64Pass = Base64.encodeBase64String(pwBytes);
like image 197
krico Avatar answered Nov 12 '22 19:11

krico