aspose file tools*
The moose likes Java in General and the fly likes Encrypting/Decrypting passwords using sha or md5 Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Java » Java in General
Bookmark "Encrypting/Decrypting passwords using sha or md5" Watch "Encrypting/Decrypting passwords using sha or md5" New topic
Author

Encrypting/Decrypting passwords using sha or md5

Dilshan Edirisuriya
Ranch Hand

Joined: Apr 22, 2006
Posts: 299
I want to encypt passwords using sha or md5 and store that in the database. Can someone help me in the process of encrypting and decrypting.


Dilshan Edirisuriya SCJP1.4, SCWCD1.4, SCBCD 5
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42285
    
  64
SHA and MD5 are not ciphers (which are used for encryption), but digests. Those can not be reversed, so once something has been run through one of them, you can't recover the original password.

If you want to check a password, the thing to do is to take the password you want to check, run that through the digest algorithm as well, and compare it with the stored, digested password.

An example of how to create a digest using MD5 can be found here.
[ September 17, 2007: Message edited by: Ulf Dittmer ]

Ping & DNS - my free Android networking tools app
Stan James
(instanceof Sidekick)
Ranch Hand

Joined: Jan 29, 2003
Posts: 8791
I just read this Coding Horror blog about passwords. If you still want to store passwords after that, it will help you choose SHA over MD5 and talks about salting, too.


A good question is never answered. It is not a bolt to be tightened into place but a seed to be planted and to bear more seed toward the hope of greening the landscape of the idea. John Ciardi
Nicholas Jordan
Ranch Hand

Joined: Sep 17, 2006
Posts: 1282
Pat Farrell: in Criptography
The standard approach to securing passwords/passphrases is to put them through a one way hash, say MD5 or SHA1, and store the resulting hash. You then tell users that you can not tell them the old password, just give them a new one.


He also showed me the idea of placing the username and the password in the same string that gets fed to the hashing alogrithm, but in no uncertain measure " EVER EVER " store the password on the machine, only it's hash.

What that means is if somebody loses their password, you have to give them a new username and password. Passwords should be changed occasionally. If somebody comes in too often for a new username and password, then you know you have somebody that at least has the willingness to come in and ask for a new username and password - nothing else.

You can walk through a massive 32 bit (4-bytes, java int) or 64 bit (8 - bytes, java long ) in a TreeMap or Tree set so damn fast that it does not make anysense to consider any other approach.

Look up Red-Black trees somewhere.


[ September 17, 2007: Message edited by: Nicholas Jordan ]

"The differential equations that describe dynamic interactions of power generators are similar to that of the gravitational interplay among celestial bodies, which is chaotic in nature."
Stan James
(instanceof Sidekick)
Ranch Hand

Joined: Jan 29, 2003
Posts: 8791
This just triggered a memory that made me smile ... a vendor package encrypted passwords with a simple XOR. Our database folks stared at these so long they eventually learned to READ the encrypted passwords. (Since I sight read vocal music on sax all the time, this makes perfect sense.) You could call them up to recover a lost password. Security, ha!
Nicholas Jordan
Ranch Hand

Joined: Sep 17, 2006
Posts: 1282
It's late on Friday, what the heck.

I checked my posts hoping to ask a question about writing a compiler shell for javac on Win that addresses the un-interruptible hang that a read() blocks on from ... [ well, you guys know what I am talking about ]

Thus, to bear more seed, I considered in concepting my program to put up a color chooser and short list of fav's for a user to answer when salting the randomizer. We could do response timings, usually considered to be the shell way, or the standard constructor for C:\src_jdk1.5.0_12\java\util\Random.java .... the cited website by Jeff Atwood discusses the matter in depth and with remarkable candor.

The Latrodectae of the Webspace of WWW is the most venomous mindfield { intentional parody of minefield } where the thought-field of entire companies and nations can both gel their commonality as well as become the subject of a Red-Black tree where Chaotic wars can, and in my opinion do, bias known and knowable from what really needs to be known.

Here, I would approach the moment as an attempt to play the harmonics by making an analogy to the sax - but have taken a more direct approach with Dr. Farrell in Meaningless Drivel::The Liquor Cabinet & the Whiskey Rebellion where we can do more useful work because he is formally trained in the subject as well as having both worked in the degree field he is trained in as well as displaying expertise in splitting nuances that are significant Gotcha's in long-run operation of a Class 5 Data Center.

What is a Class 5 Data Center ? I have no remote notion but I know the problem is the same.

What is difficult to grasp in this, because most readers and responders have to work day to day in an actual installation, is that real cryptographic study is available on the checkout lane of the grocery store. Just try writing a non-trivial cross-word solver, and that the real Crypto - whatever it is we are really talking about; really is in the domain of human thought.

There, conventional wisdom in the computer science is to label the work Social Engineering. That may be the correct label, but such label always invokes discussion of tasteful renditions of imaginative works - often portrayed by Gene Hackman - that discuss the matter in an entertaining way.

And guess what, speak of evil .... then there is evil.
Speak of good, then there is good.

But neither of those are titainium-grade isolators from the vast wasteland where a 1-mhz or 1-ghz processor is rendered useless by a blocking Thread. I thought to utilize a portion of that time by making an ai tool that will inspect the color chooser responses color chooser and short list of fav's for a user to answer as a clue into how the password management challenge may be more effectively approached.









Takers ?

[ see the real Skin Crawlers at: Browser Security - Cracker: One who breaks security on a system. ]
[ September 21, 2007: Message edited by: Nicholas Jordan ]
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4659
    
    5

Originally posted by Stan James:
This just triggered a memory that made me smile ... a vendor package encrypted passwords with a simple XOR. Our database folks stared at these so long they eventually learned to READ the encrypted passwords. (Since I sight read vocal music on sax all the time, this makes perfect sense.) You could call them up to recover a lost password. Security, ha!


Sadly, far too many vendors do such lame stuff and pretend it is security.
I've seen folks MIME encode the ascii and claim its encryption. Sigh.
Nicholas Jordan
Ranch Hand

Joined: Sep 17, 2006
Posts: 1282
[Pat Farrell:]   I've seen folks MIME encode the ascii and claim its encryption. Sigh

While working on this recently I saw a cracker that works on the actual default encipherment routine spec'd by MIME - claiming that it could be routinely broken by a background level process running for a few hours on an unloaded machine. Do you know the link or related so I can try to build this locally, I lost the sources in all the stuff I have downloaded.

Nick -

It seems some people are in denial:

Denial of Service
 
 
subject: Encrypting/Decrypting passwords using sha or md5