Win a copy of Svelte and Sapper in Action this week in the JavaScript forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Bear Bibeault
  • Junilu Lacar
Sheriffs:
  • Jeanne Boyarsky
  • Tim Cooke
  • Henry Wong
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • salvin francis
  • Frits Walraven
Bartenders:
  • Scott Selikoff
  • Piet Souris
  • Carey Brown

encrypted passwords at database end

 
Ranch Hand
Posts: 34
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello. At database end I have encrypted the code. Now I am unable to login to my website since it cannot compare the password which is entered by the user with the encrypted passwords. Can anyone please help.

What I need to do is at the time of authentication, it first decyrpts the encrypted password Compare decrypted password with password entered by user and once the user successfully login , it again encrypts the data. Please help.
 
Marshal
Posts: 67451
173
Mac Mac OS X IntelliJ IDE jQuery Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
No -- you never want to decrypt the passwords. In fact, they should be encrypted in such a way that they cannot be decrypted.

Rather, you want to encrypt the plain text password that the user enters, and then compare the encrypted versions. Your encryption algorithm should be such that the same phrase always encrypts to the same values.
 
Sumit RawalArora
Ranch Hand
Posts: 34
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
What I need to do is at the time of authentication, it first encrypts the password entered by user, compares the encrypted password with passwords encrypted at database end and so that user will be able to login. Passwrod decryption is not required but comparison must be there.
 
Bear Bibeault
Marshal
Posts: 67451
173
Mac Mac OS X IntelliJ IDE jQuery Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes, that's what you need to do. What's the problem?
 
Marshal
Posts: 25818
69
Eclipse IDE Firefox Browser MySQL Database
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I believe the term for what you want to do to the passwords is "hashing" and not "encrypting". The problem with encryption is that decryption is possible, that's by design. So if you have an encrypted password there's a known way to find out what the password is. But hashing, if you do it right, cannot be reversed.
 
Sumit RawalArora
Ranch Hand
Posts: 34
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
No, I want to do encryption only.
I have done the encryption at IBM DB2 end. Now the passwords are being shown in encrypted form only.

The only thing I am experiencing problem is :-
 When user logins the screen using UI on Internet Explorer.

First it needs to convert the database password back to decrypted password

Compare the user entered password to decrypted password

IF passwords match, user will be able to login successfully

Once user has sucessfully logged, it converts the database end decrypted password back to Encrypted one.

Please post if you have any query. I will explain you more clearly

Thanks in advance for your reply.


 
Saloon Keeper
Posts: 6594
161
Android Mac OS X Firefox Browser VI Editor Tomcat Server Safari
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sorry, but no. As a responsible professional, you can't implement that sort of thing. If someone told you to make it so passwords can be decrypted, show them articles from the trade press about sites that were hacked where they hadn't stored passwords hashed. I would think that these days a court might even find that criminally negligent behavior.
 
Marshal
Posts: 15885
265
Mac Android IntelliJ IDE Eclipse IDE Spring Debian Java Ubuntu Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It would, at the least, be gross professional negligence on your part to ignore these warnings about using encryption instead of hashing. You will expose yourself, your company, and your clients to substantial risks by doing that. You would be quite foolish to continue to ignore these warnings.
 
Master Rancher
Posts: 4666
49
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Indeed, the passwords should never leave the database, whether they're hashed, encrypted or whatever.
As soon as you find yourself thinking along those lines you know you've got something wrong.

And yes, as others have said, hashing is what you want to be using.
And if someone asks "how am I suppose to get my password when I forget it?", the answer is "you aren't".
 
Java Cowboy
Posts: 16084
88
Android Scala IntelliJ IDE Spring Java
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Sumit RawalArora wrote:No, I want to do encryption only.
First it needs to convert the database password back to decrypted password

Compare the user entered password to decrypted password

IF passwords match, user will be able to login successfully


This is not how this is normally done, for security reasons. This should be implemented in the following way instead:

- When you create a new user account and set the password, you don't store the password - instead, you use a cryptographic hash function to calculate a hash of the password, and that is what you store in the database.

- When a user wants to log in, then you use the same cryptographic hash function to calculate the hash of the password that the user entered.

- Then you compare the password hash in the database to the hash of the password that was entered. If they are the same, then the user entered the correct password.

A cryptographic hash function is a one-way function - that means that you can calculate the hash of a password, but from the hash it is (practically) impossible to get the original password back. So, there is no way to decrypt the hash. The reason of this is for security. If a hacker breaks into the system and gets a copy of the user table, then he still does not know the passwords.
 
Junilu Lacar
Marshal
Posts: 15885
265
Mac Android IntelliJ IDE Eclipse IDE Spring Debian Java Ubuntu Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Dave is right, you should only allow users to reset their password, never retrieve it.
 
lowercase baba
Posts: 12893
63
Chrome Java Linux
  • Likes 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
take about 10 minutes and watch this:  


I think he does a pretty good job of explaining why this is not a good idea. He talks about what you are doing starting around 2:45 as "bad idea #2".
 
Junilu Lacar
Marshal
Posts: 15885
265
Mac Android IntelliJ IDE Eclipse IDE Spring Debian Java Ubuntu Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
For those who didn't watch the video all the way through, the advice on how to store passwords was to use hashing and salting. The guy in the video is of course correct in saying that hashing is still vulnerable to cracking if you don't salt your hashes.
 
Saloon Keeper
Posts: 12259
259
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes, but don't write code to hash and salt your passwords please.

Use tried and true algorithms like bcrypt and PBKDF2 to generate a hash from a password. These algorithms also rehash your password multiple times to make certain attacks more computationally expensive.
 
Marshal
Posts: 70286
282
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Junilu Lacar wrote:. . . the advice on how to store passwords was to use hashing and salting. . . .

Maybe in a few years different techniques will be developed better than hash‑and‑salt.
I think I have seen that video before.
 
fred rosenberger
lowercase baba
Posts: 12893
63
Chrome Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I've probably posted that video here before.

And to his credit, the speaker in the video does say that "if you are watching this at some point in the future, please look up a recent tutorial" - making it clear we may discover new vulnerabilities or improved security measures.
 
This parrot is no more. It has ceased to be. Now it's a tiny ad:
Thread Boost feature
https://coderanch.com/t/674455/Thread-Boost-feature
    Bookmark Topic Watch Topic
  • New Topic