1

Currently I'm trying to generate Secure passwords, and I have the next method:

public String blowfishEncrypt(String pass){
    //String encPass = BCrypt.hashpw(pass, BCrypt.gensalt(12));
    //return encPass;

    try{
        //KeyGenerator keygenerator = KeyGenerator.getInstance("Blowfish");
        String key = "q2eRE#$%FwdfsdfCS#$@wDwfV3evf$&%";
        byte[] keyData = key.getBytes();
        SecretKeySpec KS = new SecretKeySpec(keyData, "Blowfish");

        //SecretKey secretkey = keygenerator.generateKey();
        Cipher cipher = Cipher.getInstance("Blowfish");
        cipher.init(Cipher.ENCRYPT_MODE, KS);
        byte[] encrypted = cipher.doFinal(pass.getBytes());
        return encrypted+"";
    }catch(Exception e){
        e.printStackTrace();
        return "error";
    }
}

It's generating diferent Strings each time I access to the method, even when I'm using a static key and I introduce the same word.

I also think it isn't sure to use an explicit key (added manually in the code).

My idea is to encrypt the text introduced and add it to the database (encrypted), and then, if the user tries to Login, The introduced text will be encrypted and compared with the one that is encripted in the database.

The problem is that my method is generating different strings with the same word, so passwords will never match.

  1. input = qwerty ->output -> [B@327b2e35
  2. input = qwerty ->output -> [B@1b045c1

Maybe I'm doing something wrong, I'd like to know it

Thanks for your answers

Cesar gutierrez
  • 57
  • 9
  • 1
    You should hash your passwords, not encrypt them. Use bcrypt. Never encrypt passwords. – Luke Joshua Park Feb 14 '18 at 19:05
  • See [this question](https://stackoverflow.com/q/19138732/238704). – President James K. Polk Feb 14 '18 at 19:51
  • **Do not encrypt passwords**, when the attacker gains admin access he will also get the encryption key. Also just using a hash function is not sufficient and just adding a salt does little to improve the security. Iterate over an HMAC with a random salt for about a 100ms duration and save the salt with the hash. Use a function such as `PBKDF2`, `Rfc2898DeriveBytes`, `Argon2`, `password_hash`, `Bcrypt` or similar functions. The point is to make the attacker spend substantial of time finding passwords by brute force. – zaph Feb 14 '18 at 20:45
  • @LukeJoshuaPark , thanks for answering me, I'll use Bcrypt, About the question you told me to see, that's exactly what was happening with my code. – Cesar gutierrez Feb 14 '18 at 21:36
  • @zaph You're rigth, I wonder if you could tell me how to use Bcrypt in Android Studio, I'd been trying it, I downloaded from here "https://www.mindrot.org/projects/jBCrypt/" and I've pasted the whole folder in my Android project, but It's throwing me errors in some parts of the code, or do I have to add it as a library ?. – Cesar gutierrez Feb 14 '18 at 21:43

0 Answers0