Bug in login rehash: user.setPassword(plainTextPassword);
Should be user.setPassword(hashedPassword); Also, your fetchUserBySSN() method assumes that encryption repeatedly returns the same value. Is that always true? I know that hashing passwords typically has a random salt to increase security, resulting in different hashed values for the same key. You have to know the random salt in order to recreate the same hash key. In unix passwords, this is done by reading the random salt off the front of the previous hashed value. On Tue, Feb 10, 2009 at 8:35 AM, Michael Gentry <[email protected]> wrote: > I updated the document. I tried to simplify the key protection stuff > (hopefully it makes a bit more sense) and added an example at the > bottom on how you might do a search and fetch using encrypted field > values. > > http://people.apache.org/~mgentry/Security_Manifesto.pdf > > > mrg >
