Password encryption with Spring/Hibernate - Jasypt or something else?

Question

In a Java application stack with Spring & Hibernate (JPA) in the Data Access Layer, what are good methods of applying the password encryption (hopefully using annotations), and where can you find out more about getting it done (tutorial, etc)?

It's understood that I would use a JCA supported algorithm for encrypting the passwords, but I would prefer to not have to implement the wrapper logic if there is an easy way.

I was looking at Jasypt, and was a) wondering if that's a good option and how to do it and b) what else people are using for this. If anyone is using Jasypt or an alternative, details of your experience it would be great.

Answer 1

I just use something similar to SHA-256(username + ":" + password + ":" + salt) and store it in the database in a 64-character column called passwd.

Wikipedia says, relating to salts: "Salt data complicates dictionary attacks that use pre-encryption of dictionary entries: each bit of salt used doubles the amount of storage and computation required. ... For best security, the salt value is kept secret, separate from the password database. This provides an advantage when a database is stolen, but the salt is not."

So to authenticate, get user from database with supplied username, then generate the same hash using the password provided via their login attempt, and compare to that in the database. Also add in some rate limiting for login attempts (e.g., 5 per 5 minute period). If the user forgets their password, NEVER email them the password (as you won't have it stored), nor email them a new generated password, but email them a link to change that password with a change password key/nonce/salt in the URL that you can check against.

Answer 2

MD5 or SHA-256 would be fine, although MD5 is crackable now.

Maybe I misunderstood the problem, but it should be just comparing the hashed passwords.

In hibernate, just store as a String. On the validation side, have a method like:

public validate(String user, String pass)
{
    if(getUser(user).getPass().equals(getHash(pass)))
        return true;
    return false;
}

Answer 3

Java has all of the required libraries already provided for you. Simply create a utility method that implements hashing with a salt as described at OWASP.

If you really don't want to own that code and don't mind an extra dependency, it seems that the Ki library (formerly JSecurity) has an implementation of what is described by OWASP.

It also looks like the JASYPT library you mentioned has a similar utility.

I realize that this answer doesn't mention Spring or Hibernate but I'm not clear how you are hoping to utilize them in this scenario.

Answer 4

You can use Jasypt with Hibernate to encrypt or hash your properties on the fly if thats what you're looking for. The actual algorithm for computing digests (hashes) is pretty simple using the JCE if you want to roll your own as well.

Answer 5

The company for which I work is considering whether to use jasypt or not. We currently have an app using Hibernate that may be installed on one of four database flavors. If we go ahead and use it, I'll return and provide details on my findings.