Forums Register Login

Safe storing user's password - how to encrypt it?

+Pie Number of slices to send: Send
Hello.

I want to do some simple login system. i'm using servlets, jsp and hibernate (for communicating the password). So I have a form in my jsp page, which contains "password" field. After submiting the form, all validations are made and then all of the fields go to the servlet.

And here are my questions:

1. Password go to the servlet as raw text right ? So i should make an encryption on client side (using javascript?) ?
2. Let's say that I want to send the password to the servlet as raw text, and encrypt it in the servlet. Are there any libraries or jstl to make that? Or I have to write the script by myself ?
3. If I will have an encrypted password, and my servlet will save it in DB, when the user will try to log in, and will type the login name and password in the form, before checking it in the database - I have to encrypt it with the same script right ?
4. If user will forgot the password, should I have second script for decrypting password or should I send to the user some-how generated link to change the password ?

I think it's all for now. Thank you for reading

1
+Pie Number of slices to send: Send
 

Marek Krokosinski wrote:1. Password go to the servlet as raw text right ? So i should make an encryption on client side (using javascript?) ?


No. Use SSL and let the browser handle it.

2. Let's say that I want to send the password to the servlet as raw text, and encrypt it in the servlet. Are there any libraries or jstl to make that? Or I have to write the script by myself ?


Java includes encryption algorithms. You want to be sure to use a one-way hash such as MD5 or SHA or any non-decryptable algorithm. Be sure to use a salt value to avoid dictionary lookup attacks.

3. If I will have an encrypted password, and my servlet will save it in DB, when the user will try to log in, and will type the login name and password in the form, before checking it in the database - I have to encrypt it with the same script right ?


Yes. Otherwise how will you end up with the same result?

4. If user will forgot the password, should I have second script for decrypting password or should I send to the user some-how generated link to change the password ?


No. You should not use a decryptable algorithm as noted above. If the user forgets their password, simply make them create a new one once you've established that they are legit.
+Pie Number of slices to send: Send
thank you for answers.

Do I have to set up something in my application to use ssl? Or i should set up it in my container configuration file (in this case it will be jboss) ?
+Pie Number of slices to send: Send
SSL is set up exterior to web apps. Pretty much the only thing that needs to be done within the web apps, is to make sure you are not using absolute URLs (which you usually should not be using in any case) that hard-code the protocol.
+Pie Number of slices to send: Send
 

Bear Bibeault wrote:SSL is set up exterior to web apps.



Really? I have to check that on my webapp, I don't use absolute urls, but I think I don't have a ssl connection.
+Pie Number of slices to send: Send
If you haven't purchased an SSL certificate and set up SSL on your server, then you aren't using SSL. Search for instructions elsewhere -- it's not a servlet concept.
I brought this back from the farm where they grow the tiny ads:
a bit of art, as a gift, the permaculture playing cards
https://gardener-gift.com


reply
reply
This thread has been viewed 2125 times.
Similar Threads
JDBCUserRealm question
String Encryption
Using Javascript, ajax and submit button in Custom tag file
Decrpytion Using SHA-1
creating a secure connection between a browser client and java server side
More...

All times above are in ranch (not your local) time.
The current ranch time is
Mar 19, 2024 04:18:20.