Database mysql hashing passwords

Question

so I'm trying to hash some passwords from a database from a login form and when I try first time to login it works with the password from database then I hash it with MD5 then when I come back to the login page I want to put the previously used password to log me in but it changed to the MD5 one. Is there any solution to have the MD5 one in the database and me to login with the first used?Thanks in advance (smecher.j is a variable who is 0)

public void validateLogin(){
    DatabaseConnection connectNow = new DatabaseConnection();
    DatabaseConnection connectNow2 = new DatabaseConnection();

    Connection connectDB = connectNow.getConnection();
    Connection connectDB2 = connectNow2.getConnection();


    String verifyLogin = " SELECT count(1) FROM user_account WHERE username = '" + usernameTextField.getText()  + "' AND password ='" + enterPasswordField.getText() +"'";
    String insertFields3 = " UPDATE user_account SET password = MD5(password) WHERE username = '" + usernameTextField.getText() +"'";

    try{
        Statement statement  = connectDB.createStatement();
        Statement statement2  = connectDB2.createStatement();

        ResultSet queryResult = statement.executeQuery(verifyLogin);
        while(queryResult.next()){
            if(queryResult.getInt(1)==1){
                login1();
                if(smecher.j==0) {
                    statement2.executeUpdate(insertFields3);
                    smecher.j++;
                }

                text1=enterPasswordField.getText();
            }else{
                loginMessageLabel.setText("Invalid login, please try again");
            }

        }
        lol();
    }catch(Exception e){
        e.printStackTrace();
        e.getCause();
    }

}
public static String text1 = "";
public void lol() {
    Connection conn = null;
    Statement st = null;
    ResultSet rs = null;

    String dbUrl = "jdbc:mysql://localhost:3306/databaselol?autoReconnect=true&useSSL=false";
    String dbUsr = "root";
    String dbPass = "!Iloriana12";
    try {
        String sql = "SELECT password FROM user_account where username  = '" + usernameTextField.getText() + "'";
        Class.forName("com.mysql.cj.jdbc.Driver");
        conn = DriverManager.getConnection(dbUrl, dbUsr, dbPass);
        st = conn.createStatement();
        rs = st.executeQuery(sql);

        while(rs.next()){
            String value = rs.getString("password");
            text1 =value;
        }
        System.out.println(text1);

    }catch(Exception e){
        e.printStackTrace();
    }finally{
        try {
            rs.close();
        } catch (SQLException e) {
            e.printStackTrace();
        }
        try {
            st.close();
        } catch (SQLException e) {
            e.printStackTrace();
        }
        try {
            conn.close();
        } catch (SQLException e) {
            e.printStackTrace();
        }
    }
}

The whole `insertFields3` doesn't make sense to me at all. The only time you need to rehash the password is if the user requests to change the password. You just set it to `MD5("password")` whenever user sign in. Yes the password becomes MD5 hash of "password" — Yoshikage Kira, May 18 '21 at 23:18
But what if I want to relog on the same account again? Do I not neet to put the new MD5 hashed password? — Adelin Cărăbaș, May 18 '21 at 23:26
In my opinion, no. The MD5 generated each time will be the same. I don't see a reason to put update MD5 each time user logs in. — Yoshikage Kira, May 19 '21 at 00:08
I think it's recommended to _avoid_ using [MD5 for password hashing](https://security.stackexchange.com/questions/19906/is-md5-considered-insecure). Also, the advice ["don't roll your own"](https://stackoverflow.com/a/1471660/12567365) authentication system seems good advice, to me. More info is in the [OWASP cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#password-hashing-algorithms). Disclaimer: I am not a security expert. — andrewJames, May 19 '21 at 00:20
Further to @andrewjames comment the OWASP page suggests using Bcrypt, so maybe consider Spring's `BCryptPasswordEncoder` as per this page https://www.codejava.net/frameworks/spring-boot/user-registration-and-login-tutorial — Scary Wombat, May 19 '21 at 00:32
Also to avoid possible SQL injection problems use a `PreparedStatement` — Scary Wombat, May 19 '21 at 00:42

score -1 · Accepted Answer · answered May 18 '21 at 23:28

-1

when saving password you should save it encrypted and when you verify the password you should verify comparing the encrypted versions of the password as in.

String verifyLogin = " SELECT count(1) FROM user_account WHERE username = '" + usernameTextField.getText()  + "' AND password =MD5('" + enterPasswordField.getText() +"')";

String insertFields3 = " UPDATE user_account SET password = MD5('" + enterPasswordField.getText() + "') WHERE username = '" + usernameTextField.getText() +"'";

answered May 18 '21 at 23:28

tremendous7

721
6
9

This will be sending the plaintext password across the wire wouldn't it? – Scary Wombat May 19 '21 at 00:29
Only if the JDBC connection is plaintext. OP should fix that by changing to `useSSL=true`. @ScaryWombat – user207421 May 19 '21 at 00:59

Database mysql hashing passwords

1 Answers1