• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • paul wheaton
  • Jeanne Boyarsky
  • Ron McLeod
Sheriffs:
  • Paul Clapham
  • Liutauras Vilda
  • Devaka Cooray
Saloon Keepers:
  • Tim Holloway
  • Roland Mueller
Bartenders:

How to Encrypt and Decrypt the password in JSP

 
Greenhorn
Posts: 11
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Guys,
I working on login page i have to fields
(a) User Name
(b) Password
I wrote a sql queary for inserting the username/password value in database.
Username and Password are inserting great,But password is insertend as it is.
Can any one help to encrypt the password before it goes into the database and while getting it back it have to decrypt for form validation...
It will be appricated...Some one can help me....
I any one got handy code that will be nice.....
Thanks
Shankar


------------------
 
Saloon Keeper
Posts: 28469
210
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Well, I can't supply you with any pre-debugged code, but I can make a few observations that may help.
1. There is a school of thought that says that passwords should NEVER be decryptable. It might seem counterintuitive, but if there's no way to decrypt the passwords, then anyone breaking into the password database can't harvest them. One-way encryption's sufficient so long as the same result occurs each time you encrypt, since to validate a password, you encrypt it. I like this little trick:

If the count comes back zero, the password (or userID) didn't match. The beautiful thing about this is that in this scenario, even the true encrypted password isn't exposed to normal logic - only the encrypted password under test (I assume that there are no database buffers floating around in snoopable RAM, of course).
As far as the encryption process itself is concerned, the Java cryptography package can be used for that. It's not part of the standard JDK's though, since export restrictions apply.
 
author
Posts: 3252
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Tim Holloway:
As far as the encryption process itself is concerned, the Java cryptography package can be used for that. It's not part of the standard JDK's though, since export restrictions apply.

Actually, the export restrictions have been relaxed to the extent that JCE is going to be part of the core J2SE, v1.4. And you can download it for v1.3.
The standard approach is to add some random information to the password - the "salt" - and calculate a secure hash of the whole. You then save the hash together with the salt. You can do without the salt, but it's cryptographically weaker - passwords tend to be not very random.
- Peter
 
It is an experimental device that will make my mind that most powerful force on earth! More powerful than this tiny ad!
Smokeless wood heat with a rocket mass heater
https://woodheat.net
reply
    Bookmark Topic Watch Topic
  • New Topic