0

I want to encrypt my password after created user and persist it inside the DB. I write password to "password field" and press "Save button". Then I use this library

For encryption

        BasicPasswordEncryptor passwordEncryptor = new BasicPasswordEncryptor();
        String encryptedPasword = passwordEncryptor.encryptPassword(myPasword);
        user = new User();
        user.setUsername(username);
        user.setUserRole(role);
        user.setFistname(firstname);
        user.setLastname(lastname);
        user.setGroupId(group);
        user.setBssLogin(login);
        user.setBssPassword(encryptedPasword);
        dao.addCrmUser(user);

After that, I have a new encrypted password inside my DB.

On the server side, I get the user and try to decrypt the password 

String login = user.getLogin();
String password = user.getPassword();
String dencryptPassword = encryptor.**NOT_METHOD_FOR_IT**(password);

I need the original password, which is set inside another system. How can I do this with my current library ?

I fount this and another libraries in Github that use some key but I do not know what is better and/or faster.

Julien
  • 2,256
  • 3
  • 26
  • 31
user5620472
  • 2,722
  • 8
  • 44
  • 97
  • See [tag:password-encryption] for why you should not do this, and [this question](http://stackoverflow.com/questions/2283937/how-should-i-ethically-approach-user-password-storage-for-later-plaintext-retrie/2287672#2287672) for ethical reasons you can advance to the client. – user207421 Mar 14 '16 at 07:22
  • My system use another system. How can I login to another system if i do not know user password? – user5620472 Mar 14 '16 at 08:46

2 Answers2

0

You do not decrypt the password from the database to verify it.

You encrypt the password received from the user when trying to login, and compare that encrypted value with the value in the database. Good password encryption is really a hash function, which is not reversible, for security.

Jim Garrison
  • 85,615
  • 20
  • 155
  • 190
  • I compare this password with the password is not in the database. There is another system, it has its own database, and the password is there in its original form – user5620472 Mar 14 '16 at 06:49
  • I understand that this is a bad decision, but the customer requires. I store the login and password from another system in your user – user5620472 Mar 14 '16 at 06:50
  • 1
    That is extremely bad design. Passwords should never be stored in plaintext, only the hashes should be stored. – Jim Garrison Mar 14 '16 at 06:50
  • so I want to encrypt the password when it is added to web forms into their database and on the server to decrypt to send to another system – user5620472 Mar 14 '16 at 06:51
  • But you are asking how to decrypt the stored password. It can't be both ways. Either the password is stored hashed, in which case you hash the login password and compare, or it is coming in unhashed, in which case there is no problem. – Jim Garrison Mar 14 '16 at 06:52
  • 1
    Then you cannot use a one-way hash, and you WILL have to compromise security. Explain to your employer that what they are doing violates all basic security principles. – Jim Garrison Mar 14 '16 at 06:53
  • maybe I can encrypt with any key, and decrypted on the server with the same key? and the key to register directly in the code, strictly? or advise a solution to do this? – user5620472 Mar 14 '16 at 06:54
  • The key will have to be visible on the client == no security – Jim Garrison Mar 14 '16 at 06:54
  • Yes, I tried to explain. Head understands but insists to store the password on the target system at the database – user5620472 Mar 14 '16 at 06:55
  • client and server - internal product of the company. – user5620472 Mar 14 '16 at 06:56
  • by the way the password is stored is not the server and client))))) the client has сonnect database)))) architecture is such here))) – user5620472 Mar 14 '16 at 06:59
0

The BasicPasswordEncryptor() in jasypt does despite it's name, not encrypt the password, but hashes the password using a one-way-hash (A big tell, is that the method don't require an encryption key).

You can't get the password back after this process, and the password is verified using the checkPassword(String plainPassword, String encryptedPassword) methode.

If you really need to be able to decrypt the password, you need to use another way to do real encryption when encrypting it. This raises the need for handling of encryption keys, which might introduce just as many problems than it sorts (where to store them etc.)

Ebbe M. Pedersen
  • 7,250
  • 3
  • 27
  • 47