0

I have a database where passwords are encrypted in plain old md5. There is no salt. All the usernames are numeric.

This is what the db looks like..

Username, Password, Hashed Password 0101,abcd123,79cfeb94595de33b3326c06ab1c7dbda

I am writing a web application using spring security. I have managed to get authentication working when the user the user types in 0101 as the username and then abcd123 as the password.

But what I really want working is the user to type in 101 (without the leading zero) as the username and abcd123 as the password.

I got my code working with the leading zero by overriding org.springframework.security.core.userdetails.UserDetailsService > loadUserByUsername(String userId).

I started looking at salt and then realized that I was totally going down the wrong track because this has nothing to do with my use password.

How can I alter my code so that my requirement is meant? I tried to hack my own implementation of loadUserByUsername(String userId) to prepend a 0 on the way into the method but this did not work.

thanks

Richie
  • 4,989
  • 24
  • 90
  • 177
  • Why store the password and the hash? Basically that is insecure as you are storing plain passwords which is something you should NEVER do. Regarding the prepending a 0 that should just work. What you can do is try with the initial `userId` if not found try again with `0+userId`. – M. Deinum Nov 28 '13 at 07:01
  • MD5 should also not be used for hashing since it's very easy to crack. With spring security you don't need to worry about salt. It's handled for you. You should have a look at the BCrypt password encoder as well. http://stackoverflow.com/questions/8521251/spring-securitypassword-encoding-in-db-and-in-applicationconext – Bart Nov 28 '13 at 07:32
  • Thanks for comments guys. But I did not implement the hashing. I'm just hooking my application into it. If what I have done should work I'll keep at it. Thks – Richie Nov 28 '13 at 07:42

1 Answers1

0

Thanks for the advice guys. I was lucky and I found another column in the database named sign on id. It contains the actual string that the user enters to sign into the application.

Richie
  • 4,989
  • 24
  • 90
  • 177