how to store passwords in database?

Question

I use jsp and servlets in my web application. i need to store passwords in the database. I found that hashing will be the best way to do that. I used this code to do it.

                <%@page import="com.jSurvey.entity.*"    %>
    <%@page import="java.security.MessageDigest" %>
    <%@page import="java.security.NoSuchAlgorithmException" %>
    <%@page import="java.math.BigInteger" %>
    <%@page import="com.jSurvey.controller.*" %>
    <%@page import="sun.misc.BASE64Encoder" %>
    <%try {
                    String user = request.getParameter("Username");
                    String pass = request.getParameter("Password1");
                    String name = request.getParameter("Name");
                    String mail = request.getParameter("email");
                    String phone = request.getParameter("phone");
                    String add1 = request.getParameter("address1");
                    String add2 = request.getParameter("address2");
                    String country = request.getParameter("country");
                    Login login = new Login();
                    Account account = new Account();

                    login.setId(user);
                    login.setPassword(pass);
                    if (!(add1.equals(""))) {
                        account.setAddress1(add1);
                    }
                    if (!(add2.equals(""))) {
                        account.setAddress2(add2);
                    }
                    if (!(country.equals(""))) {
                        account.setCountry(country);
                    }
                    account.setId(user);
                    account.setMail_id(mail);
                    if (!(phone.equals(""))) {
                        account.setPhone_no(Long.parseLong(phone));
                    }
                    account.setName(name);
                    java.security.MessageDigest d = null;
                    d = java.security.MessageDigest.getInstance("SHA-1");
                    d.reset();
                    d.update(pass.getBytes("UTF-8"));
                    byte b[] = d.digest();
                    String tmp = (new BASE64Encoder()).encode(b);

                    account.setPassword(tmp);
                    account.setPrivilege(1);
                    LoginJpaController logcon = new LoginJpaController();
                    AccountJpaController acccon = new AccountJpaController();
                    logcon.create(login);
                    acccon.create(account);
                    session.setAttribute("user", user);
                    response.sendRedirect("dashboard.jsp");
                } catch (NumberFormatException ex) {
                    out.println("Invalid data");
                }
    %>

When i tried to print the value of tmp, i get some other value.i guess its the hash value of the password. But when i persist this data to the database the original password gets saved there other than the value in tmp..

I am using java derby as the database.

What is the problem???

Answer 1

1. Add salt. For example append the email to the password before hashing. This will prevent the usage of rainbow tables
2. Make sure you use tmp in your INSERT query, rather than the original password.
3. Don't use BASE64Encoder. It is part of Sun's internal libraries and is subject to change. Use commons-codec Base64

Answer 2

What about MD5 format...

Answer 3

Try this it should work.

    import java.math.BigInteger;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;

public class MD5 {

public static void main(String[] args) {
    try{
        MessageDigest alg = MessageDigest.getInstance("MD5");
        String password = "123456";
        alg.reset();
        alg.update(password.getBytes());
        byte[] msgDigest = alg.digest();

        BigInteger number = new BigInteger(1,msgDigest);

        String str = number.toString(16);
        System.out.println(str);

    }catch(NoSuchAlgorithmException e){
        e.printStackTrace();
    }

}

}

Answer 4

Apache has a commons library, namely Commons Codec, that makes it easier to encode the password. It will do the entire job for you.

import org.apache.commons.codec.digest.DigestUtils;

String pw = DigestUtils.sha256Hex(password);

Or if you want base64:

import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.codec.binary.Base64;

byte[] pwBytes = DigestUtils.sha(password);
String b64Pass = Base64.encodeBase64String(pwBytes);