• Post Reply Bookmark Topic Watch Topic
  • New Topic

Encrypting and decrypting  RSS feed

 
Mike Firkser
Ranch Hand
Posts: 249
Java Oracle PHP
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
We're in the process of completing redoing our web app, and one of the changes we're implementing is encrypting passwords in our database. In one of the forums here at the Ranch I found a way to use the MessageDigest class to encrypt password. However, there is a debate here on whether we want to be able to decrypt the passwords (in case a user forgets theirs). While giving them a new password is an option we're looking at, is there a class or way we can use that can both encrypt and decrypt passwords.
Thanks in advance.
 
john smith
Ranch Hand
Posts: 75
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
My 2-cents: its better to Hash passwords in the DB, rather than encrypt/decrypt. This way the *only* route to check their validity is through your app. If a user forgets their password, let them create a new one rather than potentially passing passwords over an insecure medium (email or telephone).
 
Mike Firkser
Ranch Hand
Posts: 249
Java Oracle PHP
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hash passwords??
 
john smith
Ranch Hand
Posts: 75
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hashing is sort of one way encryption, you turn clear text password into a hash value. You can't then get the value of the password back out - you can only compare hashed values through your app - hence its more secure. Have a look in the Java Cryptography Architecture API Specification & Reference in the JDK JavaDocs for a full explanation.
 
Mike Firkser
Ranch Hand
Posts: 249
Java Oracle PHP
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks.
There has been some discussion here about how we want to proceed - I wanted to do the hashing with the MessageDigest class and let the user get a new password if they don't have the good sense to put it on a post-it note and stick it to their monitor. But it looks like I lost (the story of my life).
 
Stan James
(instanceof Sidekick)
Ranch Hand
Posts: 8791
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Couple years ago we bought a framework from a vendor. We turned on password encryption for the database. It turned out to be a very dumb letter transposition algorithm. Our DBA learned to read the encoded passwords so she can recover them for people. Don't do that. I like the one-way hash. Have used that other places. Many sites or apps have a couple challenge questions (your mother's oldest pet's birthday) that let users reset their passwords.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!