• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Get password from database and send email

 
Ranch Hand
Posts: 91
3
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have used hibernate in my application. I have a login page where user enters credentials, they are validated from DB. Now, if a user forgets their password, I have provided a link "forgot passwod" which redirects to a webpage, which takes email id as input from user, and then the control is passed to a servlet, where I want to fetch the password of that user from the database, what should I use for it? I think I cannot use resultSet as I want only one password at a time to be fetched from database and sent in an email to the user.
 
Saloon Keeper
Posts: 7582
176
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Resultsets can return any number of records, 0, 1 or many.

But more importantly, you should never send passwords by email. In fact, that should not even be possible: the proper way to store passwords is hashed (maybe using SHA 256), so nobody (including the server-side code) can get at them.
 
Rancher
Posts: 4801
50
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
This is why on any site with at least some semblance of security you will only find a "rest password" option.
 
arushi tomar
Ranch Hand
Posts: 91
3
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am storing encrypted password values in the database, I was thinking of sending the decrypted value to the email if if somebody forgets their password. Is this not okay? If not, then:

If i do the reset password, I will allow the user to reset their password by e-mailing them a link to reset the password, where I will use session value to update the password in the database with the new password that the user inputs? Am I right?
 
author
Posts: 4335
39
jQuery Eclipse IDE Java
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Tim is correct, it should not be possible to decrypt the password, nor is it recommended to send it over e-mail. You store the encrypted (salted) hash of the password in the db, and compare this against any requests to login.

Using a URL/temp password for password reset is much more common provided you make sure that:
- It expires if not used within a relatively small time frame (one hour or one day)
- It can only be used once and then never again

You shouldn't replace the users password in the database with the temp one, though, as it may not have been the user that requested the reset. It should be in a separate table/column.
 
Bartender
Posts: 1210
25
Android Python PHP C++ Java Linux
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Certain components of a software system are so critical, that not applying best development practices in those areas can slam a company with shockingly high legal, financial, customer, organizational and business costs - and all that slamming together all at the same time!

Storing passwords in plaintext and mailing them to customers is such a basic security mistake and has caused so many data breaches that it's not even funny now in 2015.
How would you feel if your bank sent you an email today stating that your savings account details, password and CVV may be compromised, and that you should check for any unauthorized transactions? Would you continue keeping your money in such a bank?
Guess whom managements blame when (and in 2015, it really has become a case of when, not if) data breaches occur?

This is not just another programming problem to be solved by googling and copy pasting some code snippets from the Internet.
This is one of those situations where a company's management may not realize the criticality of the problem, or may have simply assumed that their development team will do the right thing.
So as a software engineer with a code of ethics, it's upto you to step up and do the right thing the right way.

In my opinion, you should stop the coding, talk to your managers about the criticality of this area, upgrade your knowledge by yourself or with company sponsored training (preferably the latter), and only then come back to the coding.

Here are a few resources that will help. Don't skip reading the long form articles.

Understand the gravity of the business and management problem:
(PDF) 2015 cost of data breaches
A security code of ethics for developers and management
Understand the psychology behind why development orgs neglect security

Understand Design and Architecture issues:
OWASP authentication guide
Lessons, including password storage, from the Tesco breach

Understand implementation issues:
Why naive hashing is not enough
Secure password reset
Understand basics of password storage
Next understand why the above was good in 2007 but is no longer enough now in 2015
Security tips
OWASP authentication recipes
OWASP password guidelines
OWASP Secure Coding Practices
Read this discussion thread fully
Our Security FAQ (especially OWASP and Other Topics)
 
arushi tomar
Ranch Hand
Posts: 91
3
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Karthik Shiraly wrote:


I didn't check your reply until now, but I already moved up to the part where I am saving encrypted passwords now and sending a password reset link to the user(not copy pasted, I tried to do it myself) but I am not able to send a link via mail, Trying to work on that now. And I will read all the links you have posted. Thanks for the effort. It is much appreciated. :-)
 
arushi tomar
Ranch Hand
Posts: 91
3
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Scott Selikoff wrote:



Yes, I am not decrypting the password now. Sending a link to reset the password to the user. Thanks a lot.
 
arushi tomar
Ranch Hand
Posts: 91
3
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Tim Moores wrote:



Thanks Tim, your reply made me think properly towards the problem and use a different approach altogether.
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic