GeeCON Prague 2014*
The moose likes JSP and the fly likes How to Encrypt and Decrypt the password in JSP Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


JavaRanch » Java Forums » Java » JSP
Bookmark "How to Encrypt and Decrypt the password in JSP" Watch "How to Encrypt and Decrypt the password in JSP" New topic
Author

How to Encrypt and Decrypt the password in JSP

rudayashanker
Greenhorn

Joined: Oct 25, 2001
Posts: 11
Hi Guys,
I working on login page i have to fields
(a) User Name
(b) Password
I wrote a sql queary for inserting the username/password value in database.
Username and Password are inserting great,But password is insertend as it is.
Can any one help to encrypt the password before it goes into the database and while getting it back it have to decrypt for form validation...
It will be appricated...Some one can help me....
I any one got handy code that will be nice.....
Thanks
Shankar


------------------
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16095
    
  21

Well, I can't supply you with any pre-debugged code, but I can make a few observations that may help.
1. There is a school of thought that says that passwords should NEVER be decryptable. It might seem counterintuitive, but if there's no way to decrypt the passwords, then anyone breaking into the password database can't harvest them. One-way encryption's sufficient so long as the same result occurs each time you encrypt, since to validate a password, you encrypt it. I like this little trick:

If the count comes back zero, the password (or userID) didn't match. The beautiful thing about this is that in this scenario, even the true encrypted password isn't exposed to normal logic - only the encrypted password under test (I assume that there are no database buffers floating around in snoopable RAM, of course).
As far as the encryption process itself is concerned, the Java cryptography package can be used for that. It's not part of the standard JDK's though, since export restrictions apply.


Customer surveys are for companies who didn't pay proper attention to begin with.
Peter den Haan
author
Ranch Hand

Joined: Apr 20, 2000
Posts: 3252
Originally posted by Tim Holloway:
As far as the encryption process itself is concerned, the Java cryptography package can be used for that. It's not part of the standard JDK's though, since export restrictions apply.
Actually, the export restrictions have been relaxed to the extent that JCE is going to be part of the core J2SE, v1.4. And you can download it for v1.3.
The standard approach is to add some random information to the password - the "salt" - and calculate a secure hash of the whole. You then save the hash together with the salt. You can do without the salt, but it's cryptographically weaker - passwords tend to be not very random.
- Peter
 
GeeCON Prague 2014
 
subject: How to Encrypt and Decrypt the password in JSP