I did some quick research on this recently.
I struggled between choosing any of the following:
1. encode/decode password using Java
2. encode/decode password using database specific methods
3. hashing the password
After doing quite a bit of research on the 'net (java.sun.com mostly), I
decided to use #3, using a message digest and MD5 hashing. This is a
one-way hash, almost impossible to decode. To authenticate the user, I
hash the password entered from the login form using this same method and
compare that with the password hash stored in the database.
Regarding decrypting the password, based on what I have read, I decided
that no one, not even the database administrator, should be able to
decrypt the user's password.
The following is the method that I use to hash the password.
public static byte[] encodePassword(byte[] unencodedPassword) {
log.trace("encodePassword() - Entering");
MessageDigest md = null;
try {
// first create an instance, given the provider
md = MessageDigest.getInstance("MD5");
} catch (Exception e) {
log.error("Exception: ", e);
}
md.reset();
// call the update method one or more times
// (useful when you don't know the size of your data, eg.
stream)
md.update(unencodedPassword);
// now calculate the hash
byte[] encodedPassword = md.digest();
StringBuffer buf = new StringBuffer();
for (int i=0; i < encodedPassword.length; i++) {
if (((int) encodedPassword[i] & 0xff) < 0x10) {
buf.append("0");
}
buf.append(Long.toString((int) encodedPassword[i] &
0xff, 16));
}
log.debug("encodePassword() - Encoded Password:\t" + buf);
log.trace("encodePassword() - Exiting");
return(encodedPassword);
}
If the user forgets the password, I am still struggling with what to do,
probably one of the following or both:
1. reset the password and mail the new password to the user
2. reset the password and present it to them within the browser
Both methods I will force the user to change their password the next
time they login
I'm not an expert in Java security, so I would be interested in any
comments.
-Tim
-----Original Message-----
From: Andrew H. Peterson [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 07, 2002 9:36 PM
To: Struts User Forum (E-mail)
Subject: Struts and encryption
Is there a struts preferred method of handling encryption/decryption?
I am
authenticating users via a database lookup. I want to store the
encrypted password in the database.
If struts doesn't have a preferred method of encryption/decryption, can
someone point me to a good Java API for encryption/decryption?
Thanks.
ahp
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
