1

I have created a simple login page with basic requirements. I have stored the registered user details in database. As of now I have stored their password in plain text. But I want to encrypt the password and then store it in database. I am using java and jsp for views. Also I am trying to create a link on clicking forgot password. Once the user entered their mail id and clicks the button, the user should check their mail for the reset password link in which the link is accessible of the specified time, Later the link will expire. Please help me with this.

Cat
  • 41
  • 6
  • https://stackoverflow.com/questions/10303767/encrypt-and-decrypt-in-java refer this link. – Nitin Zadage Nov 25 '19 at 06:21
  • Possible duplicate of [Encrypt and Decrypt in Java](https://stackoverflow.com/questions/10303767/encrypt-and-decrypt-in-java) – Nitin Zadage Nov 25 '19 at 06:21
  • I am trying to create a link on clicking forgot password. Once the user entered their mail id and clicks the button, the user should check their mail for the reset password link in which the link is accessible of the specified time, Later the link will expire. Please help me with this.??? – Cat Nov 25 '19 at 06:29
  • Passwords should be hashed (with something like pbkdf2, bcrypt, etc), not encrypted. – Mark Rotteveel Nov 25 '19 at 12:30
  • For storing passwords, please read [this post](https://nakedsecurity.sophos.com/2013/11/20/serious-security-how-to-store-your-users-passwords-safely/), for password reset, try to open a new question and elaborate what exactly are you struggling with (what is not clear) – gusto2 Nov 25 '19 at 13:13
  • I followed the post [https://stackoverflow.com/questions/47537908/how-do-i-hash-and-salt-a-password-into-mysql-database-using-a-servlet]. But when I tried login with the password i am getting Invalid user credentials,as the password entered in db looks like `SHA2(CONCAT('gayuranimini', 78622100), 256)`. I tried entering `78622100` alone in db and when tried login with `gayuranimini` i am getting Invalid user credentials error. when I tried entering with `78622100` the login was successful. Please tell me where I am wrong. – Cat Nov 26 '19 at 05:55
  • I want the encrypted password to enter in db and when trying to login i want the `gayuranimini` to enter not the `78622100`. Please tell me what should i change. The following is my insert query `preparedStatementInsert=con.prepareStatement("insert into Users(Email,userName,password) values (?,?,?)");` – Cat Nov 26 '19 at 06:11

2 Answers2

1

First of all there's a difference between encryption & hashing. You should use hashing instead of encryption because hashing is one way function which is more secure, on the other hand encryption process is less secure and can be decrypted.

Second, there are many hashing algorithms like SHA256,md5 (you shouldn't use it now because it is less secure). Use some SALT technique to even generate a more secure hash.

Third, you should personally search for the reset password mechanism yourself, spoonfeeding won't be good for you. Research is better before questioning. But you can get idea from how to implement forgot password thing from here Implementing forgot password functionality in Java

Akif Hussain
  • 475
  • 5
  • 22
  • I have browsed the link you had mentioned. The thing is i don't know how to create `token, expirationdate` while creating table and how to access the token when sending mail to the user. – Cat Nov 25 '19 at 06:32
  • 1
    You can get an idea of how to create and verify `JWTs (Jason Web Tokens)` from the below link. Go through it carefully. https://developer.okta.com/blog/2018/10/31/jwts-with-java It has all the concepts of `token` and `expirationdate` – Akif Hussain Nov 25 '19 at 06:53
  • 1
    Ok Thanks for the reply. i will go through the link u had mentioned. – Cat Nov 25 '19 at 06:57
  • 2
    I'd have written the whole idea here, but I want you to do some research and put some effort. That thing will help you how to think. – Akif Hussain Nov 25 '19 at 07:01
  • [https://stackoverflow.com/questions/47537908/how-do-i-hash-and-salt-a-password-into-mysql-database-using-a-servlet] I tried with the link But when I tried login with the password i am getting Invalid user credentials,as the password entered in db looks like SHA2(CONCAT('gayuranimini', 78622100), 256). I tried entering 78622100 alone in db and when tried login with gayuranimini i am getting Invalid user credentials error. when I tried entering with 78622100 the login was successful. Please tell me where I am wrong. – Cat Nov 26 '19 at 11:14
0

For storing passwords it's unwise to encrypt them and store the encrypted version as you never need to reverse the encryption.

There are essentially 3 parts to secure password storage

Hashing

Hashing is preferred as, by design, it's irreversible. Plenty of strong hashing algorithms exist and it would be unwise to look to develop your own. SHA-2 and SHA-3 are good examples.

Salting

It's also good to practice to use a non-private salt, essentially a string that's stored in the database and appended to the password that's submitted every time to both create the hash and check for correctness. This is to prevent attacks by precomputed rainbow tables, due to salts being suitablely random.

Pepperring

Finally providing a unique private key within your code that you provide your hash-function makes computing rainbow tables that much more impossible

Seamus
  • 131
  • 1
  • 7