0

I am trying to develop a user authentication for my project. To realize this I have created a table have two columns having username and password. The username is stored as it is, where as the password is encrypted using jasypt.

i.e The password entered by the user during registration is encrypted using a encryption key and then placed in the corresponding column.

When the user wants to logging to the application, the program fetch the encrypted password of the same user, the password is decrypted using the same encryption key.

then the decrypted password is then matched with the one that is entered.

Is this the right way of implementing?

I did even found out that there are other ways to implement key and value pair. But I was not able to understand that. Kindly help with the resource. Or some brief explanation

User27854
  • 824
  • 1
  • 16
  • 40
  • hashing the passwords and storing the hashes should be preferable to encryption – Uku Loskit Dec 23 '14 at 11:21
  • 1
    What you are doing is correct!!! No need to change. – Sushant Tambare Dec 23 '14 at 11:30
  • @UkuLoskit, Thanks for the info. Am I looking at the correct material for hashing. http://www.jasypt.org/encrypting-passwords.html. Sorry slightly lost.:( – User27854 Dec 23 '14 at 11:34
  • @user2900314 you can google it ;). Here is which I think will help you http://howtodoinjava.com/2013/07/22/how-to-generate-secure-password-hash-md5-sha-pbkdf2-bcrypt-examples/ – Sushant Tambare Dec 23 '14 at 11:37
  • @javadev I what that to be implemented using jasypt. As jasypt makes it simpler to use. I figured it out. The above link that I have posted is explaining that. Now My task will be to choose necessary algorithm. Thanks for your help. I was help with with this issue since two days. :) – User27854 Dec 23 '14 at 11:42
  • 1
    The 'standard way' is to hash passwords, not encrypt them. – user207421 Dec 23 '14 at 11:52

2 Answers2

0

sounds correct :) why change something that's already works? :) the are no perfect security but you did good afford and the are others methods to it but i see no problem with yours(no need for another encrypt).

Android: Encrypt password

http://nelenkov.blogspot.co.il/2012/04/using-password-based-encryption-on.html

http://security.blogoverflow.com/2013/09/about-secure-password-hashing/

no need for another info ;)

Community
  • 1
  • 1
serg
  • 52
  • 1
  • 7
0

The problem of your method is you must take good care of the security of encryption key

This is a mormal way for websites or applications authentication:

During registration use hash algorithm (MD5 is popular before but proved to be unsafe now) to encrypt the password+salt, where salt is a random string. Then store hash value and salt with username.

When a user wants to log in and enter username and password, first add the salt to password and use the same hash algorithm to encrypt it. Then see if the result matches stored hash value.

Qmick Zh
  • 555
  • 3
  • 8