I am working on an implementation of javamail in my current program. The testmails are sent successfully if I predefine the credentials directly in the code or if I write it via text/password Fields, but I want it more userfriendly. I'm using a MySQL DB for my program where I could store the smtp password but for security reasons I don't want it in cleartext and the only option I know would be a synchronous encryption and use the users login password as the security password.
Are there any other options to store the password safely or even a other option that the user doesn't need to enter his password all the time?
For sure, this will only be an option via checkbox for saving credentials, if the user doesn't want this he has to write it all the time.
Thanks for helping.
Store the password encrypted (hashed) in the database. Encrypt with the libs of Apache Common for example:
String password = "PASSWORD_TO_ENCRYPTED";
String salted = password + username; //salt the password value, using the username is only an example
String hash = DigestUtils.sha256Hex(salted.getBytes("UTF-8"));
If you want to check if a given password is correct, salt it and hash it same way.. and compare the hash strings with the value stored in the database.
Related
Everything is in the title.
After a successfully post request to create a user, should I include the password in the response ?
Thanks.
Password goes the only one way, from user to server and never comes back. Actually after user is created, you should not posses password as plain text anymore. It should be hashed by BCrypt or other secure hashing function and stored in database.
Even though password would be hashed you should never send it to the client (browser)
So im coding a register and a log-in system in java. My plan for the register is: the user enters username, then enters password.
The password gets salted and stored in a .txt file.
Now when user will have to enter the password to the log-in system, how i retrieve the original password to check it from the .txt file since its salted?
My questions are two:
how i salt the password and then store it.
How to retrieve the original password, so to check it.
I have searched a lot of things but i found nothing about this.
You save both the salted password and the salt. So when saving the password you do the following:
create a salt (random hash of a certain length)
hash the password + salt combination
store this hashed string, but also store the salt and the username.
Do NOT store the plaintext password!
When a user tries to log in later, you do the following:
retrieve the hashed password and salt (stored together with the username, so look up by username)
hash the password (provided by user who wants to log in) + salt
compare this hashed string with the hashed password you stored.
If they are equal, the user provided the correct password.
So you never compare the plaintext password a user provides with a plaintext password you saved, because it is unsecure to save plaintext passwords, in case this data gets compromised.
I wrote an app that queries a Jira API which requires authentication that I provide through Basic Authentication (base64 in the header). The password was stored in the code which has to stop now because I want to hand over the code.
When the users changes their passwords due to the password schedule, the app should prompt the user for the new Jira password, save it securely, and pass it to the Jira API via Basic Authentication.
What's the best way to do this?
Normally, we would hash it but that's not possible because hashing is one-way direction and we need to pass in the real password to Jira instead of a hash.
In case of storing a string which needs to be protected in case of breaches or as a general software data security concern, encryptions should be done. For example, in your case, when the password is taken by the user then it shall be encrypted by the software before storing. While retrieving, the password is decrypted and converted to the hash(or base64) which Jira accepts for the login handshake.
Apart from the simply encrypting and decrypting, a better approach will be to use salts while encrypting and using multiple encryptions in the loop to avoid brute force attempts.
Pseudocode:
unsafe_password = getPasswordFromUser()
salt = getRandomString();
safePassword = encrypt(unsafe_password, salt, key)
// Store the password
putEntryInDB(user, safePassword, salt)
// Retrieve password
[passwordSalt, encryptedPassword] = getSaltAndEncryptedPasswordFromDB()
unsafePassword = decrypt(encryptedPassword, passwordSalt, key)
// Now login into Jira with the actual user's password (unsafePassword)
P.S. You'll be needing to store a key in the code or in some software's configuration.
Source: Attempt 4&5 https://nakedsecurity.sophos.com/2013/11/20/serious-security-how-to-store-your-users-passwords-safely/
I want to encrypt my password after created user and persist it inside the DB. I write password to "password field" and press "Save button". Then I use this library
For encryption
BasicPasswordEncryptor passwordEncryptor = new BasicPasswordEncryptor();
String encryptedPasword = passwordEncryptor.encryptPassword(myPasword);
user = new User();
user.setUsername(username);
user.setUserRole(role);
user.setFistname(firstname);
user.setLastname(lastname);
user.setGroupId(group);
user.setBssLogin(login);
user.setBssPassword(encryptedPasword);
dao.addCrmUser(user);
After that, I have a new encrypted password inside my DB.
On the server side, I get the user and try to decrypt the password
String login = user.getLogin();
String password = user.getPassword();
String dencryptPassword = encryptor.**NOT_METHOD_FOR_IT**(password);
I need the original password, which is set inside another system.
How can I do this with my current library ?
I fount this and another libraries in Github that use some key but I do not know what is better and/or faster.
You do not decrypt the password from the database to verify it.
You encrypt the password received from the user when trying to login, and compare that encrypted value with the value in the database. Good password encryption is really a hash function, which is not reversible, for security.
The BasicPasswordEncryptor() in jasypt does despite it's name, not encrypt the password, but hashes the password using a one-way-hash (A big tell, is that the method don't require an encryption key).
You can't get the password back after this process, and the password is verified using the checkPassword(String plainPassword, String encryptedPassword) methode.
If you really need to be able to decrypt the password, you need to use another way to do real encryption when encrypting it. This raises the need for handling of encryption keys, which might introduce just as many problems than it sorts (where to store them etc.)
currently I work with Shiro to create an authenticated and authorized connection between server and client.
For now I don't have a special realm and only use the shiro.ini to save all my test users.
My question now is if there is a possibility to save the salt for each user in the shiro.ini or do I have to create a seperate database as a realm?
So is there the chance to save it somehow like this within the .ini?
[users]
*username* = *hashed Password*, *salt*, *roles
I actually do not really understand how or where I can save a random salt for each user.
My current understanding is that the 'hashed Password' in the ini is the final comparison value, for the incoming token containing a password that firstly has to be hashed with the user specific salt.