wood burning stoves 2.0*
The moose likes Servlets and the fly likes Safe storing user's password - how to encrypt it? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


JavaRanch » Java Forums » Java » Servlets
Bookmark "Safe storing user Watch "Safe storing user New topic
Author

Safe storing user's password - how to encrypt it?

Marek Krokosinski
Ranch Hand

Joined: Jun 10, 2011
Posts: 64
Hello.

I want to do some simple login system. i'm using servlets, jsp and hibernate (for communicating the password). So I have a form in my jsp page, which contains "password" field. After submiting the form, all validations are made and then all of the fields go to the servlet.

And here are my questions:

1. Password go to the servlet as raw text right ? So i should make an encryption on client side (using javascript?) ?
2. Let's say that I want to send the password to the servlet as raw text, and encrypt it in the servlet. Are there any libraries or jstl to make that? Or I have to write the script by myself ?
3. If I will have an encrypted password, and my servlet will save it in DB, when the user will try to log in, and will type the login name and password in the form, before checking it in the database - I have to encrypt it with the same script right ?
4. If user will forgot the password, should I have second script for decrypting password or should I send to the user some-how generated link to change the password ?

I think it's all for now. Thank you for reading

Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61318
    
  66

Marek Krokosinski wrote:1. Password go to the servlet as raw text right ? So i should make an encryption on client side (using javascript?) ?

No. Use SSL and let the browser handle it.

2. Let's say that I want to send the password to the servlet as raw text, and encrypt it in the servlet. Are there any libraries or jstl to make that? Or I have to write the script by myself ?

Java includes encryption algorithms. You want to be sure to use a one-way hash such as MD5 or SHA or any non-decryptable algorithm. Be sure to use a salt value to avoid dictionary lookup attacks.

3. If I will have an encrypted password, and my servlet will save it in DB, when the user will try to log in, and will type the login name and password in the form, before checking it in the database - I have to encrypt it with the same script right ?

Yes. Otherwise how will you end up with the same result?

4. If user will forgot the password, should I have second script for decrypting password or should I send to the user some-how generated link to change the password ?

No. You should not use a decryptable algorithm as noted above. If the user forgets their password, simply make them create a new one once you've established that they are legit.

[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Marek Krokosinski
Ranch Hand

Joined: Jun 10, 2011
Posts: 64
thank you for answers.

Do I have to set up something in my application to use ssl? Or i should set up it in my container configuration file (in this case it will be jboss) ?
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61318
    
  66

SSL is set up exterior to web apps. Pretty much the only thing that needs to be done within the web apps, is to make sure you are not using absolute URLs (which you usually should not be using in any case) that hard-code the protocol.
Marek Krokosinski
Ranch Hand

Joined: Jun 10, 2011
Posts: 64
Bear Bibeault wrote:SSL is set up exterior to web apps.


Really? I have to check that on my webapp, I don't use absolute urls, but I think I don't have a ssl connection.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61318
    
  66

If you haven't purchased an SSL certificate and set up SSL on your server, then you aren't using SSL. Search for instructions elsewhere -- it's not a servlet concept.
 
GeeCON Prague 2014
 
subject: Safe storing user's password - how to encrypt it?