0

I am developing a web application using MySQL and Java Persistence API on Netbeans. The application requires a user to create an account to use and I am trying to encrypt the password before storing into database. The issue is that in my SQL script, I set the user account table that stores the password a string with a size limit of 256 and auto-generated the JPA entity classes. If I stored the password normally, this doesn't create an issue, but the problem becomes whenever I tried to encrypt the password. This is what I originally had:

import org.netbeans.lib.uihandler.PasswdEncryption;

public void encryptPassword(String password)
{
    String encryptedPassword = PasswdEncryption.encrypt(password);

    storeIntoDatabase(password);
}

However, whenever I tried to create a new account, I receive a EJBExcepton which was caused by a javax.ConstraintViolationException.

What I found was that the PasswdEncryption.encrypt was creating a string size greater than 256 which I believe was causing the exception. I first tried modifying my original SQL script to increase the password entry size and ran it, but I still get the same issue because the entity class constraint is still 256. So my question is

  1. Is there a way to change the constraints without having to auto-generate again?
  2. Or create an encryption string with a size of 256 or less?
Improve this question
1
  • "I am trying to encrypt the password". Stop right there. Passwords should be hashed, not encrypted, otherwise you lose the legal property of non-repudiation, which to put it simply can send your company broke. Don't do this. See also this question. Commented Oct 30, 2014 at 0:31

3 Answers 3

Reset to default
1

Think twice before storing passwords into database. Even encrypted. It makes your system critically vulnerable. Most users use the same password in several systems. After your system will be hacked - all these passwords become compromised.

Usual practice is to store hashes of passwords, e.g. sha1 or md5. And this also will help you with your problem. I recommend you to revise your authentication approach.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

You don't need to generate your entity classes anew. Just change the constraints in you Java code, compile and run your application. Generating entity classes from DDL is just a conveniency offered by NetBeans. You can write your classes and SQL script by hand, or you can generate DDL from Java code, any way you like.

Improve this answer

3 Comments

How would you change the constraints? Where is that located?
Constraints are annotations in you generated entity Java class. See the tutorial. It can look like this in your code: @Size(min=2, max=255) private String password
@schen it might have worked, but your system is badly vulnerable if you're storing encrypted passwords, and there should be no need to do so. See ursa's answer for why, and my answer for what you really ought to be doing instead.
0

You should look into using bcrypt for this. It's the standard for password encryption, and it'll produce strings of much less than 256 characters.

Try the jBCrypt library.

Note that password encryption is a term I'm using loosely here: really bcrypt does password hashing. But that is quite certainly what you ought to be doing, rather than a reversible encryption operation.

See this question for important further details.

Improve this answer

2 Comments

It is one implementation of one standard for password hashing. Not encryption, despite its name.
@EJP sure. I was taking it that's what OP probably really meant, and certainly what OP really wanted. Perhaps I should have been clearer on that.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.