Win a copy of Functional Reactive Programming this week in the Other Languages forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Password Encryption: Rationale and Java

 
vipin jain
Ranch Hand
Posts: 122
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hi any one tell me how i can Encryption and description password ?
 
Akhilesh Trivedi
Ranch Hand
Posts: 1608
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Encryption and decryption are techniques, used to ensure security. These are implemented using algorithms. There are number of algorithms you can chose from again they all would depend on what exactly you want to secure and what is the level of security you need. If you are a beginner you may want to check this.

FYI, we have separate section on security here.
[ November 26, 2008: Message edited by: Akhilesh Trivedi ]
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The common practice is not to encrypt passwords, but to hash (or digest) them. The difference is that an encryption can be reversed, while a hash can't. That means that you don't have to worry about an encryption key (which could get lost, or compromised) and the passwords can be saved anywhere (like in a database) in the knowledge that they can't be recovered by an attacker.

So how do you use a password that you can't recover? If the user logs in, the password she enters will also be hashed, and the hash be compared to the stored hashed original password. If both are identical, the user is authenticated and can proceed.

See here for details of the implementation. "SHA-1" is the hash you should use these days.
[ November 26, 2008: Message edited by: Ulf Dittmer ]
 
Akhilesh Trivedi
Ranch Hand
Posts: 1608
 
vipin jain
Ranch Hand
Posts: 122
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hi all

Thanks for reply.
i am having one more query....
Actully i am using SHA algorism in encryption password it's worrking fine but i am not able to descryption password .

can any one help me?
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
SHA is a hash (or digest), not a cipher. That means you can't recover the cleartext from something that's been hashed. If you need to do that -and I mentioned above that for passwords you should not- use a cipher like AES or TripleDES.
 
vipin jain
Ranch Hand
Posts: 122
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Ulf Dittmer,

Thanks for reply.

so which algorism i can use where both things(Encryption and Decryption) are possibe?
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
All ciphers can be used for both encryption and decryption. The two I mentioned are good choices, but if you look for the JCE documentation (the Java API implementing crypto) you'll find a list of all available ones. The list is also linked in the Security FAQ.
 
Pat Farrell
Rancher
Posts: 4678
7
Linux Mac OS X VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by vipin jain:
so which algorism i can use where both things(Encryption and Decryption) are possibe?


No, don't do that. When you use a hash, no one can compromise the password, and thus the account. If it can be decrypted (or deciphered) then anyone with access to the server can compromise the account, or even all accounts. This is really bad.

What you do is use oneway hashing. When the user calls "customer support" and says "I forgot my password, what was it?" you say " we can not give you it. We can, however, set a new temporary password, and you can use it to login and change your password to something you like"

This way customer support never has access to the long term password
 
Akhilesh Trivedi
Ranch Hand
Posts: 1608
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
So if vipin has a password say 'count' and it hashes to say "7p844Ya6BvV7e3TX5ia5ThPOJVY="

he will store 7p844Ya6BvV7e3TX5ia5ThPOJVY= in database (and not 'count').


and while authenticating login he will only check

(input) 'count'--- hash it to ---> 7p844Ya6BvV7e3TX5ia5ThPOJVY=

and compare it with ----> 7p844Ya6BvV7e3TX5ia5ThPOJVY= (database value)


He should never ever have to bother on how to convert 7p844Ya6BvV7e3TX5ia5ThPOJVY= back to 'count' at all?? and is it that hashes are one way, i.e. no decrypting back?
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes, that's exactly how it works.
 
vipin jain
Ranch Hand
Posts: 122
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hello,

Thanks for all of your help.
Finally i have been completed my task using your instraction
Thanks one again......
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic