• Post Reply Bookmark Topic Watch Topic
  • New Topic

Protecting passwords in a web app  RSS feed

 
neelesh kumar
Greenhorn
Posts: 29
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Just one more question...I have the provision of login in my website....how do i protect the password of the user from admin?? Currently the user can still see the passwords of all registered users by accessing the database(MySQL)
 
Ulf Dittmer
Rancher
Posts: 42972
73
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
That's one of the reasons why you don't store passwords in clear text, but hashed or digested, so that nobody can get at them.
 
E Armitage
Rancher
Posts: 989
9
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Read https://www.owasp.org/index.php/Hashing_Java then read about how to integrate all that using JAAS. Do not try a home grown solution to security before reading that article and understanding why JAAS is important.
 
neelesh kumar
Greenhorn
Posts: 29
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I used the following piece of code to encrypt the password...it works well and the password is stored in the database in encrypted form:
MessageDigest digest = MessageDigest.getInstance("SHA-1");
digest.reset();
byte[] input = digest.digest(pass.getBytes("UTF-8"));

The problem is how do i now validate the password entered by the user at the time of login...I mean how do i compare the password entered by the user at the time of login with its encrypted version stored in the database?
 
E Armitage
Rancher
Posts: 989
9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
neelesh kumar wrote:I used the following piece of code to encrypt the password...it works well and the password is stored in the database in encrypted form:
MessageDigest digest = MessageDigest.getInstance("SHA-1");
digest.reset();
byte[] input = digest.digest(pass.getBytes("UTF-8"));

The problem is how do i now validate the password entered by the user at the time of login...I mean how do i compare the password entered by the user at the time of login with its encrypted version stored in the database?


Read the reply I posted above.
 
neelesh kumar
Greenhorn
Posts: 29
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks! Problem Solved
 
Richard Tookey
Bartender
Posts: 1166
17
Java Linux Netbeans IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
neelesh kumar wrote:Thanks! Problem Solved


If you are using the code you posted above then you have made the same monumental blunder as Adobe since you have the same security flaw!
 
neelesh kumar
Greenhorn
Posts: 29
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
No, I didn't use that code....I encrypted the password with a salt
 
E Armitage
Rancher
Posts: 989
9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
neelesh kumar wrote:No, I didn't use that code....I encrypted the password with a salt

Also prefer SHA-2 if available because SHA-1 has a theoretical attack.
 
neelesh kumar
Greenhorn
Posts: 29
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Just changed it to SHA-2..thank you all this forum is awesome
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!