On 08/08/2008, at 5:00 AM, Michael Gentry wrote:
public void setPassword(String newPassword)
{
super.setPassword(sha1(newPassword));
}
That's close to what we do too. Some small caveats:
* think carefully about how you implement validation like 'password
length is more than 4 characters' since the hash will always be more
than 4 characters
* salt the password before hashing it (for example with the username
and some other random string) otherwise you make it easy for someone
to change the database value to a known password. That is, the
password 'mypass' should hash to two different results for two
different users.
* make sure you don't getPassword and then setPassword somewhere in
your code otherwise you'll keep rehashing the hashed version.
Cheers
Ari
-------------------------->
ish
http://www.ish.com.au
Level 1, 30 Wilson Street Newtown 2042 Australia
phone +61 2 9550 5001 fax +61 2 9550 4001
GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A
