how to store passwords in database?
12,691
Solution 1
- Add salt. For example append the email to the password before hashing. This will prevent the usage of rainbow tables
- Make sure you use
tmp
in yourINSERT
query, rather than the original password. - Don't use
BASE64Encoder
. It is part of Sun's internal libraries and is subject to change. Use commons-codecBase64
Solution 2
Apache has a commons library, namely Commons Codec, that makes it easier to encode the password. It will do the entire job for you.
import org.apache.commons.codec.digest.DigestUtils;
String pw = DigestUtils.sha256Hex(password);
Or if you want base64:
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.codec.binary.Base64;
byte[] pwBytes = DigestUtils.sha(password);
String b64Pass = Base64.encodeBase64String(pwBytes);
Related videos on Youtube
Author by
rgksugan
Updated on April 23, 2022Comments
-
rgksugan about 2 years
I use jsp and servlets in my web application. i need to store passwords in the database. I found that hashing will be the best way to do that. I used this code to do it.
<%@page import="com.jSurvey.entity.*" %> <%@page import="java.security.MessageDigest" %> <%@page import="java.security.NoSuchAlgorithmException" %> <%@page import="java.math.BigInteger" %> <%@page import="com.jSurvey.controller.*" %> <%@page import="sun.misc.BASE64Encoder" %> <%try { String user = request.getParameter("Username"); String pass = request.getParameter("Password1"); String name = request.getParameter("Name"); String mail = request.getParameter("email"); String phone = request.getParameter("phone"); String add1 = request.getParameter("address1"); String add2 = request.getParameter("address2"); String country = request.getParameter("country"); Login login = new Login(); Account account = new Account(); login.setId(user); login.setPassword(pass); if (!(add1.equals(""))) { account.setAddress1(add1); } if (!(add2.equals(""))) { account.setAddress2(add2); } if (!(country.equals(""))) { account.setCountry(country); } account.setId(user); account.setMail_id(mail); if (!(phone.equals(""))) { account.setPhone_no(Long.parseLong(phone)); } account.setName(name); java.security.MessageDigest d = null; d = java.security.MessageDigest.getInstance("SHA-1"); d.reset(); d.update(pass.getBytes("UTF-8")); byte b[] = d.digest(); String tmp = (new BASE64Encoder()).encode(b); account.setPassword(tmp); account.setPrivilege(1); LoginJpaController logcon = new LoginJpaController(); AccountJpaController acccon = new AccountJpaController(); logcon.create(login); acccon.create(account); session.setAttribute("user", user); response.sendRedirect("dashboard.jsp"); } catch (NumberFormatException ex) { out.println("Invalid data"); } %>
When i tried to print the value of tmp, i get some other value.i guess its the hash value of the password. But when i persist this data to the database the original password gets saved there other than the value in tmp..
I am using java derby as the database.
What is the problem???
-
Matthew Flaschen almost 14 yearsShow us some of your db code. Also, you should use a salt.
-
Bill Karwin almost 14 yearsObligatory Coding Horror article: codinghorror.com/blog/2007/09/…
-
-
rgksugan almost 14 yearsbut i get a hashed value when i use the algorithm.the problem is when i persist the data into the database the hashed value isn't stored in the database but the original value is stored.
-
rgksugan almost 14 yearsbut i get a hashed value when i use the algorithm.the problem is when i persist the data into the database the hashed value isn't stored in the database but the original value is stored
-
krico almost 14 yearsyou have to set login.setPassword(tmp)