12

does someone know how to encrypte the password which the user add`s into the password field?

I tried this tutorial but I didn't get it work.

https://gist.github.com/aogilvie/6267013#file-string_encrypt_decrypt-md

I hope someone can help me :(

Shalomi90
  • 736
  • 4
  • 9
  • 33
  • 2
    **Do not encrypt passwords**, when the attacker gets the DB he will also get the encryption key. Iterate over an HMAC with a random salt for about a 100ms duration and save the salt with the hash. Use functions such as `password_hash`/`password_verify`, `PBKDF2` (aka `Rfc2898DeriveBytes`), `Bcrypt` and similar functions. The point is to make the attacker spend a lot of time finding passwords by brute force. – zaph Dec 19 '16 at 16:25

3 Answers3

17
public class AESCrypt
{
    private static final String ALGORITHM = "AES";
    private static final String KEY = "1Hbfh667adfDEJ78";

    public static String encrypt(String value) throws Exception
    {
        Key key = generateKey();
        Cipher cipher = Cipher.getInstance(AESCrypt.ALGORITHM);
        cipher.init(Cipher.ENCRYPT_MODE, key);
        byte [] encryptedByteValue = cipher.doFinal(value.getBytes("utf-8"));
        String encryptedValue64 = Base64.encodeToString(encryptedByteValue, Base64.DEFAULT);
        return encryptedValue64;

    }

    public static String decrypt(String value) throws Exception
    {
        Key key = generateKey();
        Cipher cipher = Cipher.getInstance(AESCrypt.ALGORITHM);
        cipher.init(Cipher.DECRYPT_MODE, key);
        byte[] decryptedValue64 = Base64.decode(value, Base64.DEFAULT);
        byte [] decryptedByteValue = cipher.doFinal(decryptedValue64);
        String decryptedValue = new String(decryptedByteValue,"utf-8");
        return decryptedValue;

    }

    private static Key generateKey() throws Exception
    {
        Key key = new SecretKeySpec(AESCrypt.KEY.getBytes(),AESCrypt.ALGORITHM);
        return key;
    }
}

Use this will solve your problem.

Rishabh Mahatha
  • 1,251
  • 9
  • 19
  • Just specdifying the encryption algorithm ("AES") without specifying the mode and padding is incomplete ans leaves those defaults to the specific imp[lementation. All three should be supplied such as "AES/CBC/PKCS5Padding". It appears that this answer is using ECB mode and PKCS5Padding but that is a guess from just reading the code. – zaph Dec 19 '16 at 16:45
  • Do not use ECB mode, it is insecure, see [ECB mode](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Electronic_Codebook_.28ECB.29), scroll down to the Penguin. Instead use CBC mode with a random IV, just prefix the encrypted data with the IV for use in decryption. – zaph Dec 19 '16 at 16:45
  • should use hash instead – has19 Dec 25 '18 at 22:20
9

Quote this post Difference between Hashing a Password and Encrypting it I would recommend you to use hashing (no encrypting) to store passwords. You can use i.e. md5 (not reccomend), sha1, sha2...

Exampled implementation of SHA1: How to SHA1 hash a string in Android?

Community
  • 1
  • 1
Leśniakiewicz
  • 874
  • 1
  • 10
  • 21
  • little update: [please avoid SHA1](https://blog.qualys.com/ssllabs/2014/09/09/sha1-deprecation-what-you-need-to-know) too – Antonino May 02 '19 at 23:58
2

This is the easiest solution ever existed for normal encryption. First, add this in your build gradle file:

    implementation 'com.scottyab:aescrypt:0.0.1'

Then use the bellow code for encryption and decryption:

// To Encrypt
String password = "password";
String message = "hello world"; 
try {
    String encryptedMsg = AESCrypt.encrypt(password, message);
}catch (GeneralSecurityException e){
    //handle error
}

// To Decrypt
String password = "password";
String encryptedMsg = "2B22cS3UC5s35WBihLBo8w==";
try {
    String messageAfterDecrypt = AESCrypt.decrypt(password, encryptedMsg);
}catch (GeneralSecurityException e){
     //handle error - could be due to incorrect password or tampered encryptedMsg
}
Zia
  • 705
  • 9
  • 11
  • 2
    I don't understand why people would want to decrypt passwords!? My understanding is that you choose a strong, repeatable encryption method, and for validation, you encrypt the given password and compare the result with what you have saved. In case th pw's encryption is revertible, the provider knows your password. I wouldn't want that. – cslotty Apr 21 '21 at 09:34
  • @cslotty there are situations where this is very needed; a typical case would be a __GET request__ in Android WebView where credentials (or some values) are easy to pass using URL instead of POST. It would make sense to encrypt these and decrypt on the server-side. Thereafter is when you start the __normal one-way hashing__. – Ajowi Aug 11 '21 at 17:05
  • @Ajowi - Well, passwords are usually encrypted exactly once, and that's when they are created. After that they won't ever get decrypted. They are saved on the server-side in the encrypted way, and you use the same encryption on the client-side. User input is then encrypted and compared with the encrypted value on server-side. We weren't talking about values other than passwords, they are a different story! – cslotty Aug 12 '21 at 11:58