0

I'm creating users for my application, and am securing them with the Spring security MD5 hash encoder:

PasswordEncoder encoder = new Md5PasswordEncoder();
String hashedPass = encoder.encodePassword(dbUser.getPassword(), null);
dbUser.setPassword(hashedPass);

So 'admin' becomes 'd41d8cd98f00b204e9800998ecf8427e'.

This is all fine and dandy, but I'm also trying to create a form where current users can go and update their details, etc.

I'm not bothered about decoding the MD5 hash as this is not part of spring (someone already asked). However, when I try to add it to my form, nothing appears. 

<form:password cssClass="input" placeholder="Password" path="password" />

If I add the 'showPassword' attribute, then the MD5 hash gets added into the field blocked out (e.g. by circles on chrome), but if I right click and 'view source' the hash is there.

How can I make it so that it appears as the right number of characters as the original 'admin' input? HTML5 placeholder won't work as the user may think they have to retype their password each time, and javascript definitely wouldnt be a clean option.

Many thanks,

Toby

Community
  • 1
  • 1
Toby
  • 1,651
  • 2
  • 18
  • 31
  • MD5 isn't a good choice. Use [BCrypt](http://stackoverflow.com/a/8528804/241990) instead. – Shaun the Sheep Mar 05 '13 at 14:42
  • I'm guessing the same issue of blank password fields still applies? Apart from an improved security level, are there any other particular benefits, e.g. performance? Cheers – Toby Mar 05 '13 at 18:54
  • Performance-wise, it is much slower (by design). Check the [Wikipedia page](http://en.wikipedia.org/wiki/Bcrypt) or search this site for more information. – Shaun the Sheep Mar 05 '13 at 20:06

2 Answers2

2

The whole point of a hash is that you cannot reverse it. You cannot tell what the original was, and you cannot tell how long it was. You should never display it in any fashion.

bmargulies
  • 97,814
  • 39
  • 186
  • 310
  • OK, as I thought, but I missed out the second part of my query - is there a way to just display 6 star characters or whatever in a way that won't invalidate the form and isn't using the html5 placeholder? I don't like leaving the form element empty... Cheers – Toby Mar 05 '13 at 13:55
1

I do not recommend to show passwords (or other confidential information) to users: nether hashed nor plain text. To solve the UX issue you can:

1) Show empty input fields for passwords

2) Do not show passwords at all and to have the separate link / menu to change a password.

Michael
  • 10,063
  • 18
  • 65
  • 104