Store encrypted password in database

[kebabkongen]

Hi,
I am working on a Java application where I need to store encrypted
passwords in a database.

So far I have a password which I have encrypted using MessageDigest
class as below:

/*
* encrypt password
*/
try{
MessageDigest md = MessageDigest.getInstance("MD5");
md.update(password.getBytes());
byte[] hashedPwd = md.digest();
kryptPwd = new String(hashedPwd);
}catch (Exception e){
System.out.println(e);
}

This returns a encrypted password, but the String that is returned has
very strange characters which I beleive will introduce a lot of
problems when storing it in the database (when later
comparing/verifying the encrypted passwords using SQL).

I have noticed that stored passwords in Oracle database having "normal
characters" (as A-Z and 0-9). Is there some normal procedure of how to
convert the digested password to a more "database friendly" format?

Regards, Per Magnus

 

[sross]

Hi,
the strings you are seeing in your database are hex strings,
generally all digested strings you'll see will come in this format.
Googling for java+byte+array+to+hex+string should give you
the resources you need to do the conversion, I don't know of any
standard java API for this.

Cheers,
Sean.

 

[Roedy Green]

This returns a encrypted password, but the String that is returned has
very strange characters which I beleive will introduce a lot of
problems when storing it in the database (when later
comparing/verifying the encrypted passwords using SQL).

One common technique is to compute the SHA-1 and store it as a hex
string of 40 digits.

 

[Dave Mandelin]

A semi-standard API, from Catalina/Tomcat/whatever:

String string = HexUtils.convert(byteAry);

Source code for HexUtils here.
http://www.koders.com/java/fid28EC79114EA6FDE798BDCFC0BC8F29078E37BB28.aspx

I actually didn't know about that method but I found it using my
Prospector web demo tool that I created as part of my research:

http://snobol.cs.berkeley.edu/prospector/search?dst=java.lang.String&src=byte[]

You may like it for other things too.

 

[Harri Tuuloskoski]

Hi,
I am working on a Java application where I need to store encrypted
passwords in a database.

So far I have a password which I have encrypted using MessageDigest
class as below:

/*
* encrypt password
*/
try{
MessageDigest md = MessageDigest.getInstance("MD5");
md.update(password.getBytes());
byte[] hashedPwd = md.digest();
kryptPwd = new String(hashedPwd);
}catch (Exception e){
System.out.println(e);
}

This returns a encrypted password, but the String that is returned has
very strange characters which I beleive will introduce a lot of
problems when storing it in the database (when later
comparing/verifying the encrypted passwords using SQL).

I have noticed that stored passwords in Oracle database having "normal
characters" (as A-Z and 0-9). Is there some normal procedure of how to
convert the digested password to a more "database friendly" format?

Change password field to binary format, and store digest "as is".
Then you don't need to do binary<->String conversions, which will
also remove your problems with "weird" Strings.

Also, using MessageDigest.isEqual - method removes need for manually
checking hash equality. By using PreparedStatements with
setBinary/getBinary, things should work just fine.