Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsWhite Papers
Discussion GroupsFirst AidDatabasesJavaBeansGUIJava 3DVirtual MachineCORBASecurityToolsGeneral
Java DirectoryOpen Source ProjectsSample Book ChaptersUser GroupsWeb Resources
Related Topics
Databases.NETMore Topics ...
Java Forum / Security / November 2003

Tip: Looking for answers? Try searching our database.

secure password storage

Thread view: 
Enable EMail AlertsStart New Thread
John Diamond - 29 Nov 2003 00:06 GMT
Hi,

I have a MySQL database that's holding username/password credentials for
a Servlet-based web-app I'm working on.  My question is: How do I
securely store the password in the database?

Thanks in advance!
John
Reply to this Message
Christian Friedl - 29 Nov 2003 16:12 GMT
> Hi,
>
> I have a MySQL database that's holding username/password credentials for
> a Servlet-based web-app I'm working on.  My question is: How do I
> securely store the password in the database?

Compute a hash value from the password and store this password in the
database. Next time the user logs on, he has to enter his pwd again.
What you do is to build again this hash value and compare it with the
one stored in DB. If it's equal...

HTH,
Christian
Reply to this Message
Michael Amling - 30 Nov 2003 00:19 GMT
>  > Hi,
>  >
[quoted text clipped - 6 lines]
> What you do is to build again this hash value and compare it with the
> one stored in DB. If it's equal...

  Are you thinking of sending the password in the clear over the
network? That can be avoided by using SRP. http://srp.stanford.edu/ has
documentation for the protocol, which, if it were me, I would implement
using java.math.BigInteger.

--Mike Amling
Reply to this Message
John Diamond - 30 Nov 2003 02:49 GMT
I went ahead and computed hash value's to store in the database.  This
prevents someone who is viewing the user table from seeing everyone's
password, which is what I was seeking to prevent.

Thanks for the help everyone!

>>  > Hi,
>>  >
[quoted text clipped - 14 lines]
>
> --Mike Amling
Reply to this Message
Abdullah Kauchali - 30 Nov 2003 13:30 GMT
"Michael Amling" <nospam@nospam.com> wrote in message news:qIayb.7660
>    Are you thinking of sending the password in the clear over the
> network? That can be avoided by using SRP. http://srp.stanford.edu/ has
> documentation for the protocol, which, if it were me, I would implement
> using java.math.BigInteger.

Hi Mike,

Thanks for that link.  One question, though:

Won't the usage of SRP require that passwords be actually stored
(irrespective whether encrypted or not) on the server?  (IE. Does SRP
require the plain-text user password, or does it work off the hashed value
of the password on the server to generate the server public key?)

Kind regards

Abdullah
Reply to this Message
Abdullah Kauchali - 30 Nov 2003 14:45 GMT
"Abdullah Kauchali" <abdullah.kauchali@somewhere.com> wrote in message
> Hi Mike,
>
> Thanks for that link.  One question, though:
>
> Won't the usage of SRP require that passwords be actually stored
> (irrespective whether encrypted or not) on the server?

:)  Okay, don't answer that, just read the protocol details, and apparently
"NOT".  Great stuff.

It would be interesting to see any references that demonstrate the
incorporation of Single Signon to OpenLDAP, ActiveDirectory with SRP.

Regards

Abdullah
Reply to this Message


Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.