0

I want to hear your opinion on my following thought of encrypting passwords for my usage.

I have a JFrame program which uses a textfield (username) and a passwordfield to "login". I want the password to be encrypted and then tested on the password that is saved in my database (Tables: Username, password <- Password is encrypted)

My idea is to create a MD5 hash value (like here explained) of the password that is saved in the database. When logging in the software the password should be encrypted (via MD5 like here) and tested against the one in the db.

Is there a more efficient way, or does mine even work?

Thanks in advance <3

  • How is that Java application used? i Assume you know Java applications can very easy be decompiled back to .java files, meaning everybody how knows how to do it can figure out the MySQL username and password.. Oh and protecting with obfuscation makes it a "bit" harder but not impossible to do the same.. – Raymond Nijland Oct 19 '19 at 21:52
  • ideally you should connect the Java application to a webservice or socket server which allowes you to acces the MySQL database.. – Raymond Nijland Oct 19 '19 at 21:53
  • Thanks^^ It's only for a school project in my subject "programming" so there is no serious / important data. I agree that it's quite the better way to use an online server but i think it's a bit overkill for me. :) –  Oct 19 '19 at 21:59
  • But, just for my interest... How does it work with the web server? I mean, i have to connect to that server then and write down the login credentials in the code or am i wrong? –  Oct 19 '19 at 22:03
  • You make a server application that supports REST / SOAP / GraphQL .. And client which can connect to it.. For example when you use REST you can simply HTTP POST a username / password for the application ... The REST Server application only now knows the MySQL username and password and checks if the HTTP posted username / password is correct.. But you wil need to set a Oauth token/session token when the login is succesful so the Java application can use that token on the other resources for example to fetch his friends.. – Raymond Nijland Oct 19 '19 at 22:11

2 Answers2

1

You should be using Bcrypt for password encryption instead.

Check:

https://github.com/patrickfav/bcrypt

MoralJustice
  • 111
  • 1
  • 5
  • Why not Argon2id? – kelalaka Oct 19 '19 at 21:49
  • I believe Argon is still relatively new compared to Bcrypt. Bcrypt is slower than Argon, but Bcrypt has been out there for a while and has proofed as a stable and reliable solution. – MoralJustice Oct 19 '19 at 22:10
  • 2015 was the time argon won the competition. Do you have any comparison that make it faster than Bcrypt or better? Here a [comparison](https://security.stackexchange.com/a/197550/86735). BCrypt was designed in 1999 and it lacks memory hardness, which makes it easy for parallel implementation on ASIC/FPGA's – kelalaka Oct 20 '19 at 06:20
  • @senshi even if it's a school project, it is a good opportunity to make the exercise and habbit to do the authentication properly. Either you choose argon2, bcrypt, scrypt, pbkdf2, but avoid md5 in any case. Reasoning https://nakedsecurity.sophos.com/2013/11/20/serious-security-how-to-store-your-users-passwords-safely/ – gusto2 Oct 21 '19 at 19:57
0

Why not use MySQL itself?

SELECT PASSWORD(plaintext) FROM dual;

INSERT INTO users (username,password) VALUES(username, PASSWORD(plaintext));

Clarius
  • 1,183
  • 10
  • 10