1

I'm not familiar with password saving AT ALL. I have a javaApp with user-password features for a school project. It's connected to a Oracle DB and I don't want to store the passwords in String format. It's very ugly.

Any simple way to store the passwords in just a bit more adequate (secure) way?

If I store the passwords in a char[] format will there be any difference?

elixenide
  • 44,308
  • 16
  • 74
  • 100
  • 4
    Short answer is, don't. You should never try and maintain the "actual" password if you have can, it's to great a security risk, instead, create a one way has of the password and store that instead – MadProgrammer May 20 '15 at 00:15
  • 3
    You need to "salt" (append a random string) and hash the password. ***Never*** store the password itself. Only store the salt and the hashed-and-salted version of the password. This is a huge topic. I'd suggest you start reading the OWASP materials on this. Most importantly, use an existing library and do not try to "roll your own." – elixenide May 20 '15 at 00:20

4 Answers4

2

The go-to package for Java 8 password hashing is MessageDigest. You'll want to hash the user input password and compare it to some stored hashed password in your DB.

https://docs.oracle.com/javase/8/docs/api/java/security/MessageDigest.html

manglano
  • 844
  • 1
  • 7
  • 21
2

Additional to the answer, I suggest to use salted hash passwords rather just hashed passwords. OWASP site provides good source of information about how to prevent hacking and all. Please refer this link https://www.owasp.org/index.php/Hashing_Java https://crackstation.net/hashing-security.htm is a well explained blob. This blob explians what you should do and not. How to generate salted and hashed password in java is explained by this link too. How do I generate a SALT in Java for Salted-Hash?.

Community
  • 1
  • 1
bobs_007
  • 178
  • 1
  • 10
0

Always store your password in hashes. Look for hash functions like SHA (Secure Hash Algorithm). You should:

  1. Storing: convert the password to hash and store the hash in db
  2. Authenticating: Convert the password in hash and compare with the hash stored in db
dev_ankit
  • 516
  • 4
  • 8
0

Try this at Oracle database end.

http://docs.oracle.com/cd/B19306_01/appdev.102/b14258/d_crypto.htm#BJFGFDFG][1]

Karthik Cherukuri
  • 603
  • 2
  • 9
  • 15