Win a copy of Murach's Python Programming this week in the Jython/Python forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Passing passwords  RSS feed

 
Ashutosh Arya
Ranch Hand
Posts: 69
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I have situation at hand in which the application with which I am dealing with, is using hidden variables to pass the password fields from JSP to Servlet.

I guess this is making it prone to hacking.

My question is that, mere removing the hidden variable usage for passwords will solve the problem or some other steps are necessary to make the application more secure. Specially when we are dealing with passwords.

Also we are using the encryption decryption technique but we are using it in servlet.

Waiting for the guidance eagerly,

Thanks in advance,

Aashu
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65833
134
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ashutosh Arya wrote:I have situation at hand in which the application with which I am dealing with, is using hidden variables to pass the password fields from JSP to Servlet.


Using a hidden field does absolutely nothing -- I repeat nothing whatsoever -- for security.

Use SSL encryption.
 
jhon masco
Ranch Hand
Posts: 98
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Are you using database for password validation?
if you have encripted the password and you have not it in a sesion variable for example or in a hidden input, it would be good in my opinion.
Also remember to validate you login form for sql injection.
 
Hebert Coelho
Ranch Hand
Posts: 754
Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Or you can store those at your sessions. You wont need to store this at your jsp.

C ya! [=
 
Ulf Dittmer
Rancher
Posts: 42970
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Also, you should be storing the password in the DB not in cleartext or encrypted, but hashed (or digested) using something like SHA-2. That way, nobody can retrieve the password, even if they break into the system.
 
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!