Jeetandra Mahtani wrote:
> Hello:
> I have a registration form that has a field for a userid and password. These two
>values are
> stored in a table on a AS/400. Is it possible to store the passwords in encrypted
>format?
> If I need to let the user know his password, is it possible to unencrypt it? I am
>pretty
> close to the end of a project and need to solve this quickly. I would greatly
>appreciate it
> if someone would let me know soon.
> Thank you,
> J
>
It certainly is possible to store the passwords in an encrypted (actually, encoded)
format in
the database. Among many other places, Unix systems use this to store passwords into
the
/etc/passwd or /etc/shadow files.
The basic idea is that you utilize a one-way hashing function (see below for some
possibilities) that you call on the cleartext password before you store it. As the
name
implies, it is supposed to be "computationally infeasible" to go from the encoded
version back
to the cleartext version. (That's why, if you forget your password on a Unix system,
all the
sysadmin can do is set a new one -- there's no way he or she can retrieve the current
one.)
So how do you validate an incoming password? Pretty simple -- encode whatever the user
specified using the same one-way function, and compare the results. If they match,
byte for
byte, then you assume that the user knew the correct password and you let them in.
Based on this, it's pretty obvious that a good hashing algorithm should minimize the
chance
that two different words hash to the same value. Reasonable choices include the
crypt()
function in C (if your OS supports it), or one of the digest functions supported by
the Java
security library. I've had pretty good luck using the java.security.MessageDigest
class, with
the MD5 algorithm, for this purpose. The only slightly messy part is you get back a
byte array
(non-ASCII) that you need to store in a "raw" column in your database, unless you do
something
like convert it to hexadecimal so you can store it in a character field.
Craig McClanahan
>
> =====
>
> __________________________________________________
> Do You Yahoo!?
> Bid and sell for free at http://auctions.yahoo.com
>
> ___________________________________________________________________________
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
> of the message "signoff SERVLET-INTEREST".
>
> Archives: http://archives.java.sun.com/archives/servlet-interest.html
> Resources: http://java.sun.com/products/servlet/external-resources.html
> LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
