File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Java in General and the fly likes Password Encryption Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Java in General
Bookmark "Password Encryption" Watch "Password Encryption" New topic

Password Encryption

Ben Fields

Joined: May 02, 2002
Posts: 1
I am working on an Intranet(Financial Application) project where i need to encrypt user password and store it in database(in encrypted form).Please help me how best i could achieve this requirement with Java.
Thanks in advance.
Thomas Paul
mister krabs
Ranch Hand

Joined: May 05, 2000
Posts: 13974
There are several ways to do this. The easiest way is to transform the password into a message digest and store the message digest in the database. The nice thing about this is that it is a one way transition. There is no way to take a message digest and get the original password back. So whenever you want to see if the user has specified a valid passwotrd, you take the password they entered, run it through the message digest, and compare that to the password in the database. Here is a piece of the code:
//input is a byte[] containing the password entered by the user
MessageDigest md = MessageDigest.getInstance("SHA");
byte[] digest = md.digest[];
digest now contains the message digest that you need to compare to the database.
Good luck.

Associate Instructor - Hofstra University
Amazon Top 750 reviewer - Blog - Unresolved References - Book Review Blog
Rob Ross

Joined: Jan 07, 2002
Posts: 2205
Look at using JCE (Java Cryptography Extension); it's a standard part of JDK 1.4 (javax.crypto), but it's an optional package in previous versions of the JDK; you can d/l them from SUn.

Basically, you want to run an encryption algorithm on the password, send it to the server, and have the server compare the encrypted password to the version of the encrypted password stored in your database. If they match, the user has entered the correct password. This is the method most Unix systems use to keep the passwords secure; they're never sent in the clear.

SCJP 1.4
Rob Ross

Joined: Jan 07, 2002
Posts: 2205
Yea, Tom's example is much easier than mine, so I'd go with that.
I agree. Here's the link:
subject: Password Encryption
It's not a secret anymore!