• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Safe storing user's password - how to encrypt it?

 
Ranch Hand
Posts: 65
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello.

I want to do some simple login system. i'm using servlets, jsp and hibernate (for communicating the password). So I have a form in my jsp page, which contains "password" field. After submiting the form, all validations are made and then all of the fields go to the servlet.

And here are my questions:

1. Password go to the servlet as raw text right ? So i should make an encryption on client side (using javascript?) ?
2. Let's say that I want to send the password to the servlet as raw text, and encrypt it in the servlet. Are there any libraries or jstl to make that? Or I have to write the script by myself ?
3. If I will have an encrypted password, and my servlet will save it in DB, when the user will try to log in, and will type the login name and password in the form, before checking it in the database - I have to encrypt it with the same script right ?
4. If user will forgot the password, should I have second script for decrypting password or should I send to the user some-how generated link to change the password ?

I think it's all for now. Thank you for reading

 
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Marek Krokosinski wrote:1. Password go to the servlet as raw text right ? So i should make an encryption on client side (using javascript?) ?


No. Use SSL and let the browser handle it.

2. Let's say that I want to send the password to the servlet as raw text, and encrypt it in the servlet. Are there any libraries or jstl to make that? Or I have to write the script by myself ?


Java includes encryption algorithms. You want to be sure to use a one-way hash such as MD5 or SHA or any non-decryptable algorithm. Be sure to use a salt value to avoid dictionary lookup attacks.

3. If I will have an encrypted password, and my servlet will save it in DB, when the user will try to log in, and will type the login name and password in the form, before checking it in the database - I have to encrypt it with the same script right ?


Yes. Otherwise how will you end up with the same result?

4. If user will forgot the password, should I have second script for decrypting password or should I send to the user some-how generated link to change the password ?


No. You should not use a decryptable algorithm as noted above. If the user forgets their password, simply make them create a new one once you've established that they are legit.
 
Marek Krokosinski
Ranch Hand
Posts: 65
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
thank you for answers.

Do I have to set up something in my application to use ssl? Or i should set up it in my container configuration file (in this case it will be jboss) ?
 
Bear Bibeault
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
SSL is set up exterior to web apps. Pretty much the only thing that needs to be done within the web apps, is to make sure you are not using absolute URLs (which you usually should not be using in any case) that hard-code the protocol.
 
Marek Krokosinski
Ranch Hand
Posts: 65
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Bear Bibeault wrote:SSL is set up exterior to web apps.



Really? I have to check that on my webapp, I don't use absolute urls, but I think I don't have a ssl connection.
 
Bear Bibeault
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
If you haven't purchased an SSL certificate and set up SSL on your server, then you aren't using SSL. Search for instructions elsewhere -- it's not a servlet concept.
reply
    Bookmark Topic Watch Topic
  • New Topic