Password management

Question

Password management

I have a question about password management. Suppose I have a program, and the user enters a password, and the data is stored in encrypted form.

One way: Encrypt data with a user password. Pros: the user assumes responsibility for password security and the security of your data. Cons: if the user changes the password, he must decrypt and encrypt all the data.

otherwise: Data is encrypted using a password other than the user (random). And the user password used to encrypt a random password. Pros: If the user changes the password, he does not need to re-encrypt everything.

As for saving the user password, I use jasypt.org. This is normal? What would be the right way to do this? I think the weak point in the Jasypt cipher. Data with encrypted AES-128. Use Jasypt because all I know.

+4

java passwords password-encryption encryption

user60108 Feb 06 '13 at 1:29

source share

2 answers

Mostly you want to use salted password hashing . CrackStation has a very good article on this.

+3

Richard Schneider Feb 06 '13 at 1:35

source share

Maarten bodewes · Accepted Answer · 2013-02-06T01:38:10+0000

Typically, you should encrypt the data key with a password.

For encryption, the password will first be converted to a key. To do this, you would use the password-based key detection function (PBKDF). PBKDF2 is currently the most standard option.

You encrypt data using a randomly generated key. This key, in turn, is encrypted using the key generated by the password.

To change the password, first ask for the original. Then decrypt the data key. You can then request a new password and re-encrypt the data key. Encrypted data should not be affected.

Password management

More articles: