Win a 3 month subscription to Marco Behler Videos this week in the Spring forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

How can I pass an encrypted password to my datasource  RSS feed

 
somashaker goud
Ranch Hand
Posts: 60
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi All,

Below is my code which I am using in application-cfg.cml to create datasource in hibernate.



You can see that value which I am passing in plain text which is not at all in real team(production environment).

Can you please suggest the better ways to implement it
 
somashaker goud
Ranch Hand
Posts: 60
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Small correction in above

You can see that value which I am passing in plain text password which is not at all in real team(production environment).
 
somashaker goud
Ranch Hand
Posts: 60
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Apologies for gramatical mistakes.

You can see that value(password ) which I am passing is in plain text which is not at all acceptable in real time scenario(production environment).
 
Dwayne Barsotta
Ranch Hand
Posts: 86
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sorry I don't know hibernate at all but maybe a similar situation I had will help.

In my application I am incorporating a log in situation.  For this reason I am storing a username and password in a database.  Not to secure right?

Through research I forgot several java jar applications that hash plain text passwords. 

So user enters the password in the text box, then you puss the password to the hashing algorithm.   Then use the returned hash password to save through hibernate.

I can't remember the one I chose (it's on my main computer-I'm on my phone.)  Unlike most hash algorithms you need to store the username, hashed password and the salt in the table.  But with the one I chose it uses a variation of the username as the salt. So all you need to store is the username and hashed password.   The jar file offers methods to compare the entered password with stored hash retrieving a true or false.  Unlike encrypting a password, you usually can never decrypt a crypted password back to plain English.

You supply hash the password the person is trying to log into with and check if it matches the hashed value of the stored password.

IMO this is why websites don't send you the plain text version of your password when you forget it, basically there's no way to know if they used a hashing algorithm.  But if they used an encryption method they could. 

Based on my research badging is the way to go, just use current (not old) algorithms.

Hope this helps
 
Dwayne Barsotta
Ranch Hand
Posts: 86
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sorry third paragraph should read "through research I FOUND" not forgot.
 
Stephan van Hulst
Saloon Keeper
Posts: 7487
135
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I don't think that will be helpful to the OP, because this is about the server accessing its application database. There is no user involved.

Usually in these systems it's fine to put the password in plain text in a configuration file, because if an attacker can access the configuration file that means they already have access to the server and you have much bigger problems.

If you don't feel comfortable putting the password there in plain text, you can encrypt it before putting it in the configuration file, and decrypt it before you access the database. Note that this offers NO SECURITY. It will only hide the password from viewing it directly, but an attacker who has access to both the application and the configuration file will be able to decrypt it anyway, so you might as well just leave it in plain text.

Another solution is to ask the administrator for the password every time they run some script. In practice, this rarely happens because it's too much of a bother.
 
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!