currently I work with Shiro to create an authenticated and authorized connection between server and client.
For now I don't have a special realm and only use the shiro.ini to save all my test users.
My question now is if there is a possibility to save the salt for each user in the shiro.ini or do I have to create a seperate database as a realm?
So is there the chance to save it somehow like this within the .ini?
[users]
*username* = *hashed Password*, *salt*, *roles
I actually do not really understand how or where I can save a random salt for each user.
My current understanding is that the 'hashed Password' in the ini is the final comparison value, for the incoming token containing a password that firstly has to be hashed with the user specific salt.
Related
Everything is in the title.
After a successfully post request to create a user, should I include the password in the response ?
Thanks.
Password goes the only one way, from user to server and never comes back. Actually after user is created, you should not posses password as plain text anymore. It should be hashed by BCrypt or other secure hashing function and stored in database.
Even though password would be hashed you should never send it to the client (browser)
I wrote an app that queries a Jira API which requires authentication that I provide through Basic Authentication (base64 in the header). The password was stored in the code which has to stop now because I want to hand over the code.
When the users changes their passwords due to the password schedule, the app should prompt the user for the new Jira password, save it securely, and pass it to the Jira API via Basic Authentication.
What's the best way to do this?
Normally, we would hash it but that's not possible because hashing is one-way direction and we need to pass in the real password to Jira instead of a hash.
In case of storing a string which needs to be protected in case of breaches or as a general software data security concern, encryptions should be done. For example, in your case, when the password is taken by the user then it shall be encrypted by the software before storing. While retrieving, the password is decrypted and converted to the hash(or base64) which Jira accepts for the login handshake.
Apart from the simply encrypting and decrypting, a better approach will be to use salts while encrypting and using multiple encryptions in the loop to avoid brute force attempts.
Pseudocode:
unsafe_password = getPasswordFromUser()
salt = getRandomString();
safePassword = encrypt(unsafe_password, salt, key)
// Store the password
putEntryInDB(user, safePassword, salt)
// Retrieve password
[passwordSalt, encryptedPassword] = getSaltAndEncryptedPasswordFromDB()
unsafePassword = decrypt(encryptedPassword, passwordSalt, key)
// Now login into Jira with the actual user's password (unsafePassword)
P.S. You'll be needing to store a key in the code or in some software's configuration.
Source: Attempt 4&5 https://nakedsecurity.sophos.com/2013/11/20/serious-security-how-to-store-your-users-passwords-safely/
I have an application that requires passwords to be hashed two fold, lets call hash function A and B.
Normally authentication is done with glassfish, which uses a "disgests-function", implying all password given by users will be hashed with this function and verify with database.
How can i set it up so users password in request will be hashed by two functions A and B ? Should i write a custom authentication module ?
I have a java spring web application and currently it has a normal authentication flow. I need to add a two factor authentication implementation to it. For that can we use 3rd party provider like google or any other provider.
I need to add a two factor authentication implementation to [my java spring web application].
Here's a good package that I wrote which implements 2FA/two-factor authentication in Java code.
Copying from the READ_ME, to get this to work you:
Properly seed the random number generator.
Use generateBase32Secret() to generate a secret key for a user.
Store the secret key in the database associated with the user account.
Display the QR image URL returned by qrImageUrl(...) to the user.
User uses the image to load the secret key into his authenticator application.
Whenever the user logs in:
The user enters the number from the authenticator application into the login form.
Read the secret associated with the user account from the database.
The server compares the user input with the output from generateCurrentNumber(...).
If they are equal then the user is allowed to log in.
I am working on an implementation of javamail in my current program. The testmails are sent successfully if I predefine the credentials directly in the code or if I write it via text/password Fields, but I want it more userfriendly. I'm using a MySQL DB for my program where I could store the smtp password but for security reasons I don't want it in cleartext and the only option I know would be a synchronous encryption and use the users login password as the security password.
Are there any other options to store the password safely or even a other option that the user doesn't need to enter his password all the time?
For sure, this will only be an option via checkbox for saving credentials, if the user doesn't want this he has to write it all the time.
Thanks for helping.
Store the password encrypted (hashed) in the database. Encrypt with the libs of Apache Common for example:
String password = "PASSWORD_TO_ENCRYPTED";
String salted = password + username; //salt the password value, using the username is only an example
String hash = DigestUtils.sha256Hex(salted.getBytes("UTF-8"));
If you want to check if a given password is correct, salt it and hash it same way.. and compare the hash strings with the value stored in the database.