0

Possible Duplicate:
What function to use to hash passwords in MySQL?
Secure password storage

What is the best mechanism for storing passwords into database after encryption of the password? And what is the method of encryption and an implementation in Java?

Community
  • 1
  • 1
Bhavik Ambani
  • 6,557
  • 14
  • 55
  • 86
  • This question has been asked hundreds of times here already. A few of the questions even have answers that aren't horrible. – erickson Jan 22 '12 at 10:07
  • possible duplicate of [Best practices for storing database passwords](http://stackoverflow.com/questions/258299/), [Best way to store password in database](http://stackoverflow.com/questions/1054022/), [What function to use to hash passwords in MySQL?](http://stackoverflow.com/questions/335888/), [Effective Password Encryption](http://stackoverflow.com/questions/883371/) – outis Jan 23 '12 at 02:11
  • None of the duplicates referred to from here are based on Java, as requested by the OP. (Most are focused specifically on MySQL.) +1 for re-opening the question. – ziesemer Jan 25 '12 at 13:37

2 Answers2

8

Never store encrypted passwords. Store a secure one-way hash instead, something like SHA-1 (has some minor security issues), or one of the newer, more secure variants.

Doing so is actually against several regulatory requirements that you may be subject to, such as the PCI DSS if you have any involvement with credit cards (doing any e-commerce?).

Something like http://www.mindrot.org/projects/jBCrypt/ may also prove useful.

+1 for Borealid's comment - even with hashing, the hashing needs to be done properly, and must include "salt" (additional random data to prevent a subset of attacks). jBCrypt will do this for you (as will other similar libraries).

ziesemer
  • 27,712
  • 8
  • 86
  • 94
  • then which way or algorithm should I use as the best solution ? – Bhavik Ambani Jan 22 '12 at 08:19
  • 6
    Don't store a hash of the bare password, please. Add something to make this particular hash worthless in attacking other sites, and resistant to rainbow-table attacks. – Borealid Jan 22 '12 at 08:20
1

A common way to store passwords is to hash them using a message digest algorithm. I'd recommend SHA1, or if you need more bytes (-> less collision possible), SHA256 or 512. Here's an SHA1 implementation in Java:

http://www.anyexample.com/programming/java/java_simple_class_to_compute_sha_1_hash.xml

It's also advised that you use a salt for making gessing password hashes even harder. Explanation:

http://en.wikipedia.org/wiki/Salt_(cryptography)

  • 2
    You should probably mention salt. There are enough unsalted passwords out there already, thank you very much. – Borealid Jan 22 '12 at 08:19