Meaningless Drivel is fun!*
The moose likes Security and the fly likes custom security (authentication) Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "custom security (authentication)" Watch "custom security (authentication)" New topic
Author

custom security (authentication)

manuel aldana
Ranch Hand

Joined: Dec 29, 2005
Posts: 308
hi,

am building a webapp and want to implement a simple custom authentication as a login (->user/password). i would prefer to hash the password to identify the user, but in webapps it's usual to send passwords to an user in case he forgets it.

so i need to keep unhashed passwords (hashed ones cannot be reconstructed) in my database. is it usual to still keep hashed passwords, to use it for identification? or would it be overengineered/unneccessary if i chose both "password-saving" strategies?

or maybe in case user forgets password, i should send a default password he can change afterwards?

thnx.


aldana software engineering blog & .more
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41106
    
  45
but in webapps it's usual to send passwords to an user in case he forgets it.


Absolutely not! In a well-engineered (from a security point of view) web app, a password is never sent to the user. Unfortunately, it is common that cleartext passwords are stored, but it is not necessary. If a user forgets a password, it should be considered comprised, and the user should pick a new one. This can happen through a link that was sent by email to an address associated with a username the user entered before - not to an address the user can enter just then!


Ping & DNS - my free Android networking tools app
manuel aldana
Ranch Hand

Joined: Dec 29, 2005
Posts: 308
thank you,

well, i do think the same.

but just wondered and found it really strange, how many webapps are sending passwords (even in shopping webapps).

i think it is considered more "user-friendly" and can be used in webapps, where no money can be lost or no critical data is submitted (like forums etc.).

in my first post i of course did not mean default-password like "abc123"!! i merely meant a "good" random password computed by the server application.
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
 
subject: custom security (authentication)
 
Similar Threads
if i store a password data from jsp to the database how to hide it from others seeing
how do you store user's password?
Obfuscation using Alltori
Encrypting and decrypting
Encryption and Decryption - DB2 and JPA