This week's book giveaway is in the OO, Patterns, UML and Refactoring forum. We're giving away four copies of Refactoring for Software Design Smells: Managing Technical Debt and have Girish Suryanarayana, Ganesh Samarthyam & Tushar Sharma on-line! See this thread for details.
Hi Guys, I working on login page i have to fields (a) User Name (b) Password I wrote a sql queary for inserting the username/password value in database. Username and Password are inserting great,But password is insertend as it is. Can any one help to encrypt the password before it goes into the database and while getting it back it have to decrypt for form validation... It will be appricated...Some one can help me.... I any one got handy code that will be nice..... Thanks Shankar
Well, I can't supply you with any pre-debugged code, but I can make a few observations that may help. 1. There is a school of thought that says that passwords should NEVER be decryptable. It might seem counterintuitive, but if there's no way to decrypt the passwords, then anyone breaking into the password database can't harvest them. One-way encryption's sufficient so long as the same result occurs each time you encrypt, since to validate a password, you encrypt it. I like this little trick:
If the count comes back zero, the password (or userID) didn't match. The beautiful thing about this is that in this scenario, even the true encrypted password isn't exposed to normal logic - only the encrypted password under test (I assume that there are no database buffers floating around in snoopable RAM, of course). As far as the encryption process itself is concerned, the Java cryptography package can be used for that. It's not part of the standard JDK's though, since export restrictions apply.
An IDE is no substitute for an Intelligent Developer.
Originally posted by Tim Holloway: As far as the encryption process itself is concerned, the Java cryptography package can be used for that. It's not part of the standard JDK's though, since export restrictions apply.
Actually, the export restrictions have been relaxed to the extent that JCE is going to be part of the core J2SE, v1.4. And you can download it for v1.3. The standard approach is to add some random information to the password - the "salt" - and calculate a secure hash of the whole. You then save the hash together with the salt. You can do without the salt, but it's cryptographically weaker - passwords tend to be not very random. - Peter