• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Encrypting/Decrypting passwords using sha or md5

 
Ranch Hand
Posts: 299
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I want to encypt passwords using sha or md5 and store that in the database. Can someone help me in the process of encrypting and decrypting.
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
SHA and MD5 are not ciphers (which are used for encryption), but digests. Those can not be reversed, so once something has been run through one of them, you can't recover the original password.

If you want to check a password, the thing to do is to take the password you want to check, run that through the digest algorithm as well, and compare it with the stored, digested password.

An example of how to create a digest using MD5 can be found here.
[ September 17, 2007: Message edited by: Ulf Dittmer ]
 
(instanceof Sidekick)
Posts: 8791
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I just read this Coding Horror blog about passwords. If you still want to store passwords after that, it will help you choose SHA over MD5 and talks about salting, too.
 
Ranch Hand
Posts: 1282
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Pat Farrell: in Criptography
The standard approach to securing passwords/passphrases is to put them through a one way hash, say MD5 or SHA1, and store the resulting hash. You then tell users that you can not tell them the old password, just give them a new one.



He also showed me the idea of placing the username and the password in the same string that gets fed to the hashing alogrithm, but in no uncertain measure " EVER EVER " store the password on the machine, only it's hash.

What that means is if somebody loses their password, you have to give them a new username and password. Passwords should be changed occasionally. If somebody comes in too often for a new username and password, then you know you have somebody that at least has the willingness to come in and ask for a new username and password - nothing else.

You can walk through a massive 32 bit (4-bytes, java int) or 64 bit (8 - bytes, java long ) in a TreeMap or Tree set so damn fast that it does not make anysense to consider any other approach.

Look up Red-Black trees somewhere.


[ September 17, 2007: Message edited by: Nicholas Jordan ]
 
Stan James
(instanceof Sidekick)
Posts: 8791
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
This just triggered a memory that made me smile ... a vendor package encrypted passwords with a simple XOR. Our database folks stared at these so long they eventually learned to READ the encrypted passwords. (Since I sight read vocal music on sax all the time, this makes perfect sense.) You could call them up to recover a lost password. Security, ha!
 
Nicholas Jordan
Ranch Hand
Posts: 1282
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It's late on Friday, what the heck.

I checked my posts hoping to ask a question about writing a compiler shell for javac on Win that addresses the un-interruptible hang that a read() blocks on from ... [ well, you guys know what I am talking about ]

Thus, to bear more seed, I considered in concepting my program to put up a color chooser and short list of fav's for a user to answer when salting the randomizer. We could do response timings, usually considered to be the shell way, or the standard constructor for C:\src_jdk1.5.0_12\java\util\Random.java .... the cited website by Jeff Atwood discusses the matter in depth and with remarkable candor.

The Latrodectae of the Webspace of WWW is the most venomous mindfield { intentional parody of minefield } where the thought-field of entire companies and nations can both gel their commonality as well as become the subject of a Red-Black tree where Chaotic wars can, and in my opinion do, bias known and knowable from what really needs to be known.

Here, I would approach the moment as an attempt to play the harmonics by making an analogy to the sax - but have taken a more direct approach with Dr. Farrell in Meaningless Drivel::The Liquor Cabinet & the Whiskey Rebellion where we can do more useful work because he is formally trained in the subject as well as having both worked in the degree field he is trained in as well as displaying expertise in splitting nuances that are significant Gotcha's in long-run operation of a Class 5 Data Center.

What is a Class 5 Data Center ? I have no remote notion but I know the problem is the same.

What is difficult to grasp in this, because most readers and responders have to work day to day in an actual installation, is that real cryptographic study is available on the checkout lane of the grocery store. Just try writing a non-trivial cross-word solver, and that the real Crypto - whatever it is we are really talking about; really is in the domain of human thought.

There, conventional wisdom in the computer science is to label the work Social Engineering. That may be the correct label, but such label always invokes discussion of tasteful renditions of imaginative works - often portrayed by Gene Hackman - that discuss the matter in an entertaining way.

And guess what, speak of evil .... then there is evil.
Speak of good, then there is good.

But neither of those are titainium-grade isolators from the vast wasteland where a 1-mhz or 1-ghz processor is rendered useless by a blocking Thread. I thought to utilize a portion of that time by making an ai tool that will inspect the color chooser responses color chooser and short list of fav's for a user to answer as a clue into how the password management challenge may be more effectively approached.









Takers ?

[ see the real Skin Crawlers at: Browser Security - Cracker: One who breaks security on a system. ]
[ September 21, 2007: Message edited by: Nicholas Jordan ]
 
Rancher
Posts: 4803
7
Mac OS X VI Editor Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Stan James:
This just triggered a memory that made me smile ... a vendor package encrypted passwords with a simple XOR. Our database folks stared at these so long they eventually learned to READ the encrypted passwords. (Since I sight read vocal music on sax all the time, this makes perfect sense.) You could call them up to recover a lost password. Security, ha!



Sadly, far too many vendors do such lame stuff and pretend it is security.
I've seen folks MIME encode the ascii and claim its encryption. Sigh.
 
Nicholas Jordan
Ranch Hand
Posts: 1282
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
[Pat Farrell:]   I've seen folks MIME encode the ascii and claim its encryption. Sigh

While working on this recently I saw a cracker that works on the actual default encipherment routine spec'd by MIME - claiming that it could be routinely broken by a background level process running for a few hours on an unloaded machine. Do you know the link or related so I can try to build this locally, I lost the sources in all the stuff I have downloaded.

Nick -

It seems some people are in denial:

Denial of Service
reply
    Bookmark Topic Watch Topic
  • New Topic