-1

In my application there are some operations which are allowed only by entering a password by authorized users. So I need to store an encrypted password in a file and then, after when required, read the encrypted password and compare it with the one entered. I have never done anything similar before and I need the simplest way to do it. Here I have found this tutorial but then I have seen that it is much better not to use sun.misc.BASE64Decoder/Encoder. Can you help?

Community
  • 1
  • 1
SagittariusA
  • 5,289
  • 15
  • 73
  • 127

3 Answers3

3

Instead of storing password you can store it's hash. In order to compare it with another password you should compare the hashes, not the real passwords. The easy way to make hashes (with salt) would be using MessageDigest:

public byte[] makeDigest(String value, byte[] salt) throws NoSuchAlgorithmException {
    MessageDigest md = MessageDigest.getInstance("SHA-256");
    md.update(salt);
    return md.digest(value.getBytes());
}

You can make a digest of the password, then store resulting byte array (and salt) in the file. Then use this method (and original salt) to make a digest from the second password. And at last just compare two byte arrays with Arrays.equals

nogard
  • 9,432
  • 6
  • 33
  • 53
  • 2
    Totally agree. That way you can skip the decoding! – wassgren Jan 09 '15 at 15:44
  • This seems to be very useful and good. I will have a trial at once. A question: would you please tell me why it is bad to use sun.misc.BASE64Decoder/Encoder? – SagittariusA Jan 09 '15 at 15:49
  • 2
    One reason is [this](http://stackoverflow.com/questions/2267036/work-sun-misc-base64encoder-decoder-for-getting-byte). Another one is that if you can decrypt a password it is simply not safe. Password encryption should be one-way. – wassgren Jan 09 '15 at 15:51
2

I think you can also:

  1. salt+hash (eg: sha256) the password before storing it, also save the salt. Random generated salt is better.
  2. Use saved salts + rehash the password which the user input-ed.
  3. Just plain compare them. If they match, you give access to the user
Clau St
  • 970
  • 9
  • 14
0

Have a look here: Encrypt Password in Configuration Files? and perhaps here: https://crackstation.net/hashing-security.htm

Community
  • 1
  • 1
Augustin
  • 2,444
  • 23
  • 24
  • Thanks but that link is the one I was talking about. It uses sun.misc.BASE64Decoder/Encoder which is said to be bad to use...I don't know why. – SagittariusA Jan 09 '15 at 15:44
  • 1
    Sorry, I haven't noticed that. What about this library then: http://www.jasypt.org/ – Augustin Jan 09 '15 at 15:46
  • 1
    @Lory: Base64 encoding is data representation, not encryption – fmgp Jan 09 '15 at 15:46
  • @Augustin: I had noticed that library but I couldn't find a simple tutorial. Do you have one to link? – SagittariusA Jan 09 '15 at 15:52
  • I found this to be quite understandable: http://blog.sortedset.com/how-to-encrypt-decrypt-a-password-stored-in-a-properties-file-with-java-jasypt-apache-commons-configuration/ – Augustin Jan 09 '15 at 15:56