I am working on an Intranet(Financial Application) project where i need to encrypt user password and store it in database(in encrypted form).Please help me how best i could achieve this requirement with Java. Thanks in advance.
Thomas Paul
mister krabs
Ranch Hand
Joined: May 05, 2000
Posts: 13974
posted
0
There are several ways to do this. The easiest way is to transform the password into a message digest and store the message digest in the database. The nice thing about this is that it is a one way transition. There is no way to take a message digest and get the original password back. So whenever you want to see if the user has specified a valid passwotrd, you take the password they entered, run it through the message digest, and compare that to the password in the database. Here is a piece of the code: //input is a byte[] containing the password entered by the user MessageDigest md = MessageDigest.getInstance("SHA"); md.update(input); byte[] digest = md.digest[]; digest now contains the message digest that you need to compare to the database. Good luck.
Look at using JCE (Java Cryptography Extension); it's a standard part of JDK 1.4 (javax.crypto), but it's an optional package in previous versions of the JDK; you can d/l them from SUn.
Basically, you want to run an encryption algorithm on the password, send it to the server, and have the server compare the encrypted password to the version of the encrypted password stored in your database. If they match, the user has entered the correct password. This is the method most Unix systems use to keep the passwords secure; they're never sent in the clear.
Rob
SCJP 1.4
Rob Ross
Bartender
Joined: Jan 07, 2002
Posts: 2205
posted
0
Yea, Tom's example is much easier than mine, so I'd go with that.
I agree. Here's the link: http://ej-technologies/jprofiler - if it wasn't for jprofiler, we would need to
run our stuff on 16 servers instead of 3.
0
