In registration form of my web application I have a password field. Now when I am inserting the data in the database on the submit button.
Approach 1:
I use md5 function to generate a hash value of it and then I save the encrypted data into the database.
Approach 2:
I use the query in MySql to directly convert the particular column data into the hash value.
Which approach has less overhead and which one is more secure across the network. Please help?
Database used: MySql 5 , FrontEnd: Java
It will be more secure to encrypt the data first and then insert it in mysql. Otherwise, the data may be "sniffed" by listening the traffic between the app server and database.
Another point to keep in mind while using MD5 is to use a "salt" value. MD5 is susceptible to brute force attack if no salt is used. Using a salt means adding a arbitary string to the user entered value before calculating the MD5 and saving to database.
For example, if the value entered by user is "ABC", and your salt value is "12345", you will calculate MD5 for "ABC12345".
You should save the encrypted password in the DB. And when you want to authenticate you should compare the two encrypted strings. It's not a matter of overhead, it's a matter of security (which is also why you should consider a real encryption instead of hashing).
You should most deffinatly calculate the hash, encrypt it at application level. This will protect you against replay and MiM attacks. Storing encrypted hashes instead of encrypting the password in cleartext will add an extra layer of security for your users, since if your DB should get hacked the attacker won't be able to use this information on other sites (since people tend to use the same passwords).
IMO, security should be put before performance when dealing with sensitive information
