All geek questions in one place

Password Encoding and Decoding Using Spring Security, Spring Download and MongoDB

I use the above software stack above and I need to encrypt the password before saving to the database. I also need to decrypt the password, because when someone changes the password, he will need to provide the old password, and then the new onw twice, and I need to check the old password. I searched a lot, but I still donโ€™t know how to do it right. I found this Encryption link, but are there any other clues? I am also not sure if MongoDB can provide something for password protection.

+5
source share
2 answers

Read Stephen Carlson โ€™s answer on password hashing first.

Good thing Spring Security will do it for you. Spring Security 3.2 introduced a new org.springframework.security.crypto.password.PasswordEncoder interface and some implementations: BCryptPasswordEncoder , StandardPasswordEncoder (and NoOpPasswordEncoder ).

Important: do not confuse org.springframework.security. crypto.password .PasswordEncoder with old deprecated org.springframework.security. authentication.encoding .PasswordEncoder

An interface (and therefore an implementation) has two methods that you need:

  • public String encode(CharSequence rawPassword)
  • public boolean matches(CharSequence rawPassword, String encodedPassword)

I recommend using org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder . BCryptPasswordEncoder (unlike StandardPasswordEncoder ) uses a salt that is different for each password (but not global, like StandardPasswordEncoder ). When you encode a raw password ( public String encode(CharSequence rawPassword) ), the returned encoded password is not only a coded password, it also contains some meta information about the hash algorithm used, the salt used and, of course, the encoded password.

+19
source

You should not "encrypt" the password at all. I know this sounds contradictory. But there is no reason why you will need to decrypt the password. For this, your database will be opened for hackers, because if you store your decryption password in your codes / servers, the hacker can steal this information.

The correct process is the hash password. A hash is a one-way (cannot be returned to source) process. The current standard would be to use SHA256 to hash your password. Here is the basic flowchart:

  • Take your user password. The example password "mypass" will have the value ea71c25a7a602246b4c39824b855678894a96f43bb9b71319c39700a1e045222
  • Save this hash ( ea71c25a7a602246b4c39824b855678894a96f43bb9b71319c39700a1e045222 ) in your database.

When the user logs in, you take the password that he just sent and the hash of it. If he enters the same password, he will hash to the same value in your database.

When the user switches to changing passwords, you get "enter your old password" to check that the old password still matches, if it contains the hash "enter new password" and save it.

In my example, I did not mention salt . This is what you should use on your system as it protects your data from rainbow table exploits. But this is for another discussion.

Hope this helps :)

+17
source

Source: https://habr.com/ru/post/1242425/

More articles:


All Articles