CODEXE

Password Encryption

1.Save the password with any encryption. This is the most insecure mehod.

2.Symmetric encryption algorithm such as 3DES and AES. Once get the key, the original password can be cracked easily. To avoid cracking, we need to achieve many complex implementations like saving and managing password and key separately. Thus, it is not a good method.

3.One-Way hashing algorithm such as MD5 and SHA1. The original password cannot be cracked by calculation. But with the development of "Rainbow Tables", it can be cracked by looking up tables. The main disadvantage of this algorithm is the cost of cracking password is acceptable.

You can even decode the MD5 encryption online by visiting some websites like http://www.cmd5.com 

4.Hashing with Salt. The basic idea is to add a random and long encough value (salt) to the password and encrypt. When the use try to sign in, get the user's salt value and hashing value from DB and using same algorithm to generate a new hashing value by salt value and password. Then compare the new hashing value with the hashing vaue in DB.

a.The basic steps of encryption is

  • Generate a random salt value which is long encough. In java, we can use java.security.SecureRandom
  • Add salt to the original password whose position can be the head or tail. Use hash functions (Argon2, bcrypt, scrypt) to encrypt. There are may open source java library in git.
  • Save the salt and the corresponing encrypted password (hashing result) to DB.
  • 
    hash("hello")                    = 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824
    hash("hello" + "QxLUF1bgIAdeQX") = 9e209040c863f84a31e719795b2577523954739fe5ed3b58a75cff2127075ed1
    hash("hello" + "bv5PehSMfV11Cd") = d1d3ec2e6f20fd420d50e2642992841d8338a314b8ea157c9e18477aaef226ab
    hash("hello" + "YYLmfY6IehjZMQ") = a49670c3c18b9e079b9cfaf51634f563dc8ae3070db2c4a8544305df1b60f007
              		

    b.The basic steps of password verification is:

  • Get user's salt value and hashing result
  • Combine user's password with salt and get the new hashing result
  • Compare the hashing result in DB with new hashing result.