-1

I am trying to encrypt the password using MD5 in user registration and matching the same during logging in.. I am using Mysql as my database.. Mysql too offers an option to convert password into MD5(ie MD5(password)).. I want to know which is the better way to encrypt it.. is it using java code or mysql query..

Thanks in advance.

user1277996
  • 125
  • 2
  • 3
  • 9
  • You also might want to read http://www.codinghorror.com/blog/2007/09/youre-probably-storing-passwords-incorrectly.html – Philipp Reichart May 22 '12 at 06:01
  • 3
    This is not encryption: this is MD5 hashing.Hashing is the correct thing to do, but you need to call it by its right name. An SHA hash would be far more secure. – user207421 May 22 '12 at 06:12

3 Answers3

9

Don't store passwords. If it's ever sitting on a disk, it can be stolen. Instead, store password hashes. Use the right hashing algorithm, like SHA256, BCrypt or Salt the hash.

Here are some useful links you must see:

Hope this helps.

Community
  • 1
  • 1
AlphaMale
  • 23,514
  • 4
  • 57
  • 77
  • He isn't storing passwords. Your point? – user207421 May 22 '12 at 06:13
  • matching passwords while logging in with encrypted ones means he will store passwords in mysql. thats the point. – AlphaMale May 22 '12 at 06:17
  • 1
    No, the point is that he *is* 'storing password hashes'. Read the question. He's misuing the word 'encryption', and should be using SHA rather than MD5, but otherwise he is doing exactly what you said he should do. – user207421 May 22 '12 at 06:23
3

Since logically your application and database can exist in two separate physical boxes, it is more safe an option if you encrypt your password in application layer and then move it to database.

From application design point of view you should consider encryption, hashing your password at a very early level so that from layer to layer your password doesnt move as plain string.

Offtopic:

MD5 is prone to collision attack, you would consider using salt like appending email or dynamically generated values to prevent Rainbow Table.

definitely-safest-password-storage-scheme

Community
  • 1
  • 1
mprabhat
  • 19,229
  • 7
  • 42
  • 62
3

Here is the algorithm I use to crypt with MD5.It returns your crypted output.

   public class CryptWithMD5 {
   private static MessageDigest md;

   public static String cryptWithMD5(String pass){
    try {
        md = MessageDigest.getInstance("MD5");
        byte[] passBytes = pass.getBytes();
        md.reset();
        byte[] digested = md.digest(passBytes);
        StringBuffer sb = new StringBuffer();
        for(int i=0;i<digested.length;i++){
            sb.append(Integer.toHexString(0xff & digested[i]));
        }
        return sb.toString();
    } catch (NoSuchAlgorithmException ex) {
        Logger.getLogger(CryptWithMD5.class.getName()).log(Level.SEVERE, null, ex);
    }
        return null;


   }
}

You cannot decrypt MD5, but you can compare outputs since if you put the same string in this method it will return the same crypted output.If you want to decrypt you need to use the SHA.You will never use decription for a users password.For that always use MD5.That exception is pretty redundant.It will never throw it.When you add the password to the database, you add what this method returns.To login you compare them.

Adrian Stamin
  • 669
  • 2
  • 8
  • 21