Geek Answers Handbook

How to store passwords in a database?

I use jsp and servlets in my web application. I need to store passwords in a database. I found that hashing would be the best way to do this. I used this code for this.

<%@page import="com.jSurvey.entity.*" %> <%@page import="java.security.MessageDigest" %> <%@page import="java.security.NoSuchAlgorithmException" %> <%@page import="java.math.BigInteger" %> <%@page import="com.jSurvey.controller.*" %> <%@page import="sun.misc.BASE64Encoder" %> <%try { String user = request.getParameter("Username"); String pass = request.getParameter("Password1"); String name = request.getParameter("Name"); String mail = request.getParameter("email"); String phone = request.getParameter("phone"); String add1 = request.getParameter("address1"); String add2 = request.getParameter("address2"); String country = request.getParameter("country"); Login login = new Login(); Account account = new Account(); login.setId(user); login.setPassword(pass); if (!(add1.equals(""))) { account.setAddress1(add1); } if (!(add2.equals(""))) { account.setAddress2(add2); } if (!(country.equals(""))) { account.setCountry(country); } account.setId(user); account.setMail_id(mail); if (!(phone.equals(""))) { account.setPhone_no(Long.parseLong(phone)); } account.setName(name); java.security.MessageDigest d = null; d = java.security.MessageDigest.getInstance("SHA-1"); d.reset(); d.update(pass.getBytes("UTF-8")); byte b[] = d.digest(); String tmp = (new BASE64Encoder()).encode(b); account.setPassword(tmp); account.setPrivilege(1); LoginJpaController logcon = new LoginJpaController(); AccountJpaController acccon = new AccountJpaController(); logcon.create(login); acccon.create(account); session.setAttribute("user", user); response.sendRedirect("dashboard.jsp"); } catch (NumberFormatException ex) { out.println("Invalid data"); } %>

When I tried to print the tmp value, I will get a different value. Guess its password hash value. But when I save this data in the database, the original password is saved there, except for the value in tmp ..

I am using java derby as a database.

What is the problem???

+7
java passwords hash
source share
3 answers
  • Add salt . For example, add an email to the password before hashing. This will prevent the use of rainbow tables.
  • Make sure you use tmp in your INSERT request and not in the original password.
  • Do not use BASE64Encoder . It is part of Sun's internal libraries and is subject to change. Use commons-codec Base64
+5
source share

Apache has a common library, namely Commons Codec , which simplifies password encoding. He will do all the work for you.

 import org.apache.commons.codec.digest.DigestUtils; String pw = DigestUtils.sha256Hex(password);

Or if you want base64:

 import org.apache.commons.codec.digest.DigestUtils; import org.apache.commons.codec.binary.Base64; byte[] pwBytes = DigestUtils.sha(password); String b64Pass = Base64.encodeBase64String(pwBytes);
+8
source share

Try this, it should work.

  import java.math.BigInteger; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; public class MD5 { public static void main(String[] args) { try{ MessageDigest alg = MessageDigest.getInstance("MD5"); String password = "123456"; alg.reset(); alg.update(password.getBytes()); byte[] msgDigest = alg.digest(); BigInteger number = new BigInteger(1,msgDigest); String str = number.toString(16); System.out.println(str); }catch(NoSuchAlgorithmException e){ e.printStackTrace(); } }

}

0
source share

More articles:


All Articles