0

I have a database where one of the column(password) datatype is Binary(60).

I am using password as STRING in java and trying to compare the password coming from java (from user interface) with the password (as binary) in MySQL.

But it never gives me any result ..

Please guide what datatype/value will be able to compare with the Binary type

thanks

junaidp
  • 10,801
  • 29
  • 89
  • 137
  • Why have you stored the password as a Binary type? – christopher Aug 02 '13 at 11:12
  • that's what i am thinking , as i am not working with database, I'm just a developer , i just got this database from a database developer..U don't recommend this? – junaidp Aug 02 '13 at 11:14

3 Answers3

0

I'm confused as to why you've used the binary type, but you can try:

String password = "a password";
// Run password through cryptographic functions.
String binaryStr = "";

for(char c : password)
{
    int charInt = (int)c;
    // Convert the character to it's integer representation.
    binaryStr += Integer.toBinaryString(charInt);
    // Convert that integer into a binary string.
}

The BINARY and VARBINARY types are similar to CHAR and VARCHAR, except that they contain binary strings rather than nonbinary strings.

Following the documentation, you can simply compare this new binary value you've generated with the value in the table.

HOWEVER, keep in mind that this is a really bizarre way of storing the password, and it makes much more sense just to store the message digest (given that storing it in binary form offers 0 additional security).

christopher
  • 26,815
  • 5
  • 55
  • 89
0

You should set your field as PASSWORD in MySQL instead. Like that the password will be hashed in MD5 whenever you save your password in the db. To make a comparison when a user logs in, you just hash your user given password to MD5 and do a string compare on the password which is stored in the DB.

Filip
  • 857
  • 8
  • 19
  • Please be advised, that MD5 is **NOT** an encryption, but merely a hash function. Encryption would mean that some kind of key were involved and you could get back to the original data provided you had that key. – Daniel Schneller Aug 02 '13 at 11:23
  • MD5 for passwords is a bad idea, because it has been broken. Moreover, at the very least the values should be salted. Better yet, use a secure hash (SHA-2, SHA-128, SHA-256) if you must, but best - for passwords anyway- use something like bcrypt or PBKDF2. See my answer. – Daniel Schneller Aug 02 '13 at 11:32
0

Having the database field be configured as a binary string is maybe not ideal, but not a problem either.

The problem is however, that you intend to store the password in there directly. Please do not do this, as it will create a major security flaw.

Hashing it as suggested in another answer is better, but still not really good. The problem with that is, that there are so-called rainbow tables which can be used reverse-lookup hashes to their original value.

The minimum you need to do is use a salted hash (https://en.wikipedia.org/wiki/Salt_(cryptography)) or even better, use something like bcrypt or PBKDF2 (see Password Verification with PBKDF2 in Java) to create a secure hash of the user provided password. These hashes will have fixed lengths and can easily be stored as a binary string in your given database field.

When checking the user entry, just perform the same function again and compare that with the database content. Of course, you must use SSL to transfer the password from client to server.

Community
  • 1
  • 1
Daniel Schneller
  • 13,728
  • 5
  • 43
  • 72