Jeetandra, The way I see it you have 2 options. 1. Use the one way has encryption (such as MD5), which I think is more secure, and if a user forgets his password, give him a randomly generated password, and he/she could always change it to what he/she wants. 2. Use a secret key encryption (DES), in which case you will have to ensure that the key seed you use is kept sufficiently secure. A good policy may be to generate the key as a combination of as many different values as possible. You might want to take a look at the Java Cryptography extensions. Hope this helps. - Chinmay. > ---------- > From: Craig R. McClanahan[SMTP:[EMAIL PROTECTED]] > Reply To: A mailing list for discussion about Sun Microsystem's Java > Servlet API Technology. > Sent: Wednesday, November 17, 1999 9:09 PM > To: [EMAIL PROTECTED] > Subject: Re: Please advice: Encrypting passwords and servlets > > Jeetandra Mahtani wrote: > > > Hello: > > I have a registration form that has a field for a userid and password. > These two values are > > stored in a table on a AS/400. Is it possible to store the passwords in > encrypted format? > > If I need to let the user know his password, is it possible to unencrypt > it? I am pretty > > close to the end of a project and need to solve this quickly. I would > greatly appreciate it > > if someone would let me know soon. > > Thank you, > > J > > > > It certainly is possible to store the passwords in an encrypted (actually, > encoded) format in > the database. Among many other places, Unix systems use this to store > passwords into the > /etc/passwd or /etc/shadow files. > > The basic idea is that you utilize a one-way hashing function (see below > for some > possibilities) that you call on the cleartext password before you store > it. As the name > implies, it is supposed to be "computationally infeasible" to go from the > encoded version back > to the cleartext version. (That's why, if you forget your password on a > Unix system, all the > sysadmin can do is set a new one -- there's no way he or she can retrieve > the current one.) > > So how do you validate an incoming password? Pretty simple -- encode > whatever the user > specified using the same one-way function, and compare the results. If > they match, byte for > byte, then you assume that the user knew the correct password and you let > them in. > > Based on this, it's pretty obvious that a good hashing algorithm should > minimize the chance > that two different words hash to the same value. Reasonable choices > include the crypt() > function in C (if your OS supports it), or one of the digest functions > supported by the Java > security library. I've had pretty good luck using the > java.security.MessageDigest class, with > the MD5 algorithm, for this purpose. The only slightly messy part is you > get back a byte array > (non-ASCII) that you need to store in a "raw" column in your database, > unless you do something > like convert it to hexadecimal so you can store it in a character field. > > Craig McClanahan > > > > > > > ===== > > > > __________________________________________________ > > Do You Yahoo!? > > Bid and sell for free at http://auctions.yahoo.com > > > > > __________________________________________________________________________ > _ > > To unsubscribe, send email to [EMAIL PROTECTED] and include in the > body > > of the message "signoff SERVLET-INTEREST". > > > > Archives: http://archives.java.sun.com/archives/servlet-interest.html > > Resources: http://java.sun.com/products/servlet/external-resources.html > > LISTSERV Help: http://www.lsoft.com/manuals/user/user.html > > __________________________________________________________________________ > _ > To unsubscribe, send email to [EMAIL PROTECTED] and include in the > body > of the message "signoff SERVLET-INTEREST". > > Archives: http://archives.java.sun.com/archives/servlet-interest.html > Resources: http://java.sun.com/products/servlet/external-resources.html > LISTSERV Help: http://www.lsoft.com/manuals/user/user.html > ___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST". Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
Re: Please advice: Encrypting passwords and servlets
Nadkarni, Chinmay (Chinmay)** CTR ** Sat, 16 Jan 1999 06:25:00 -0800
- Re: Please advice: Encrypting passwor... Nadkarni, Chinmay (Chinmay)** CTR **
- Re: Please advice: Encrypting pa... Joe Sam Shirah
- Please advice: Encrypting passwo... Jeetandra Mahtani
- Re: Please advice: Encryptin... David Mossakowski
- Re: Please advice: Encryptin... Craig R. McClanahan
