• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Safe storing user's password - how to encrypt it?

 
Marek Krokosinski
Ranch Hand
Posts: 64
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello.

I want to do some simple login system. i'm using servlets, jsp and hibernate (for communicating the password). So I have a form in my jsp page, which contains "password" field. After submiting the form, all validations are made and then all of the fields go to the servlet.

And here are my questions:

1. Password go to the servlet as raw text right ? So i should make an encryption on client side (using javascript?) ?
2. Let's say that I want to send the password to the servlet as raw text, and encrypt it in the servlet. Are there any libraries or jstl to make that? Or I have to write the script by myself ?
3. If I will have an encrypted password, and my servlet will save it in DB, when the user will try to log in, and will type the login name and password in the form, before checking it in the database - I have to encrypt it with the same script right ?
4. If user will forgot the password, should I have second script for decrypting password or should I send to the user some-how generated link to change the password ?

I think it's all for now. Thank you for reading

 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64716
86
IntelliJ IDE Java jQuery Mac Mac OS X
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Marek Krokosinski wrote:1. Password go to the servlet as raw text right ? So i should make an encryption on client side (using javascript?) ?

No. Use SSL and let the browser handle it.

2. Let's say that I want to send the password to the servlet as raw text, and encrypt it in the servlet. Are there any libraries or jstl to make that? Or I have to write the script by myself ?

Java includes encryption algorithms. You want to be sure to use a one-way hash such as MD5 or SHA or any non-decryptable algorithm. Be sure to use a salt value to avoid dictionary lookup attacks.

3. If I will have an encrypted password, and my servlet will save it in DB, when the user will try to log in, and will type the login name and password in the form, before checking it in the database - I have to encrypt it with the same script right ?

Yes. Otherwise how will you end up with the same result?

4. If user will forgot the password, should I have second script for decrypting password or should I send to the user some-how generated link to change the password ?

No. You should not use a decryptable algorithm as noted above. If the user forgets their password, simply make them create a new one once you've established that they are legit.
 
Marek Krokosinski
Ranch Hand
Posts: 64
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
thank you for answers.

Do I have to set up something in my application to use ssl? Or i should set up it in my container configuration file (in this case it will be jboss) ?
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64716
86
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
SSL is set up exterior to web apps. Pretty much the only thing that needs to be done within the web apps, is to make sure you are not using absolute URLs (which you usually should not be using in any case) that hard-code the protocol.
 
Marek Krokosinski
Ranch Hand
Posts: 64
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bear Bibeault wrote:SSL is set up exterior to web apps.


Really? I have to check that on my webapp, I don't use absolute urls, but I think I don't have a ssl connection.
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64716
86
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If you haven't purchased an SSL certificate and set up SSL on your server, then you aren't using SSL. Search for instructions elsewhere -- it's not a servlet concept.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic