I am working on a web application for my Masters project. It is a system for professors to manage student projects and uses Java for server code, HSQLDB for the database, and JSP for the presentation level, and it works on tomcat. The data that will be stored does not contain any confidential information (student ID, financial information, nothing like that), but usernames and passwords are required, so I want to protect the passwords themselves if the student uses the password for my application, which they used for another, more important application (this will undoubtedly happen even if I tell people not to do it).
I have never considered such things before, and I'm pretty lost. I found a good article explaining how to use Java to create a password hash , and I found information in the tomcat documentation explaining how to set the hash scheme used in realms, and how to do SSL with tomcat , as well as a JavaScript library for creating hashes from passwords, but I'm not sure how to put all the pieces together, and what pieces I need exactly.
If I use the JavaScript library for the hash password and use SSL for the login step (after that I donβt think that, since I think that the other data does not need protection), then only save the hashed versions of the passwords in the database, is it enough? Or do I need to do something else? I came across a question where the answers were discussed by PBKDF2 and some other things, but it just confused me more ... If I use one of the schemes mentioned in these answers, how can I do this? I have not seen links to them in tomcat or other documentation, so I donβt know how I use them ...
If someone can clear my confusion and tell me which is the right way to safely transfer and store passwords, I would really appreciate it.
source share