Menu
I have a question about password management. Let's suppose I have a program and the user enter a password, and the data is stored encrypted.
One way would be: Encrypt data with the user's password. pros: the user would take charge of the security of the password and how secure your data. Cons: If the user changes the password must decrypt and encrypt all data.
otherwise: Data is encrypted with a password other than the user (random). And the user password used to encrypt the random password. Pros: If the user changes the password does not have to re-encrypt everything.
And as for save the user's password, I' am using to jasypt.org. Is it okay? What would be the correct way to do it? I think the weak point is in the encryptor Jasypt. The data with encrypted AES-128. Use Jasypt because that's all I know.
572
Generally, you should encrypt a data key with the password.
To encrypt, the password would be converted to a key first. You would use a password based key derivation function for that (PBKDF). PBKDF2 is currently the most standard option for that.
You encrypt the data with a randomly generated key. This key is in turn encrypted with the key generated from the password.
To change the password, ask for the original first. Then decrypt the data key. You may then ask for a new password and re-encrypt the data key. The encrypted data itself does not have to be touched.
141
Basically you want to use salted password hashing. CrackStation has a very good article on the subject.
42
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
