Hi i am working on project in java using GWT. I want to save password using encrypt and decrypt. which is the best way to save password with encrypt and decrypt in java? Any API shall i use? any help?
Thanks in Advance
2
-
4You should never encrypt your user's passwords. You need to use hashing instead with some strong ones being PBKDF2, bcrypt and scrypt. Since hash functions are one-way function, you won't be able to "decrypt" the hashes. In order to authenticate your user, you can run the password through the hash function again in order to compare with the hash that is stored in the database.Artjom B.– Artjom B.2015-09-15 14:43:49 +00:00Commented Sep 15, 2015 at 14:43
-
Don't forget to add salt to your passwords before hashing to guard against dictionary attacks. Also, use secure hashing algorithms such as from the SHA-2 family and especially not the widely used but very unsafe MD5.mlkammer– mlkammer2015-09-17 09:16:23 +00:00Commented Sep 17, 2015 at 9:16
Add a comment
|
1 Answer
You can use GWT-Crypto library
Usage is quite simple and is presented in following code:
//this will be used for encrypting and decrypting strings
private TripleDesCipher encryptor;
...
//creating key for encryptor
TripleDesKeyGenerator generator = new TripleDesKeyGenerator();
byte[] key = generator.decodeKey("04578a8f0be3a7109d9e5e86839e3bc41654927034df92ec"); //you can pass your own string here
//initializing encryptor with generated key
encryptor = new TripleDesCipher();
encryptor.setKey(key);
...
The example functions using the encryptor can look like:
private String encryptString(String string)
{
try
{
string = encryptor.encrypt( string );
}
catch (DataLengthException e1)
{
e1.printStackTrace();
}
catch (IllegalStateException e1)
{
e1.printStackTrace();
}
catch (InvalidCipherTextException e1)
{
e1.printStackTrace();
}
return string;
}
private String decryptString(String string)
{
try
{
string = encryptor.decrypt(string);
}
catch (DataLengthException e)
{
e.printStackTrace();
} catch (IllegalStateException e)
{
e.printStackTrace();
} catch (InvalidCipherTextException e)
{
e.printStackTrace();
}
return string;
}
5 Comments
Igor Klimer
Please don't do that - client-side encryption is not a good idea, they even have an article on that in their wiki. Please send the plain text password over encrypted channel (SSL) and process it securely on the server (for example, hash it with bcrypt).
m.antkowicz
I don't say it's good idea 'cause you are right - just that this is a way to encrypt/decrypt string in gwt
Igor Klimer
It's a way to encrypt/decrypt in GWT on the client side. OP was asking for "the best way to save password with encrypt and decrypt in java", so not specifically on the client side - hence my remark. While your answer provides a valid way to encrypt/decrypt, it's a way that's strongly discouraged by the experts. That's similar to mentioning MD5 as a password hashing algorithm - technically correct (it's a hashing algorithm), but you should use stronger, salted hashing algorithms (i.e. bcrypt).
Vijay Chougule
Thank u i want to use bcrypt so i have to include any jar? and from where for bcrypt
Vijay Chougule
Thank u Igor Klimer for your information. I done it using bcrypt but i written bcrypt code in server side means Using rpc call. so from client just i am sending the password text to server side using RPC call is my password secure?? And Then I am converting the password to hashing using bcrypt before saving the password to entity. so is my password secure??