Question 1:
It depends on security requirements. For most cases it's enough.
Question 2:
Here you can find a way to calculate SHA1
of string: Java String to SHA1
Question 3:
Storing passwords in some particular table in database is quite a common practice. I recommend to use hashed passwords together with so-called salt, so the protocol is:
- User is registering or changing password and sending you his/her password.
- We generate some looooooooong random string which we gonna use as salt.
- Now, we need to calculate the value we're going in the database.
Assuming you have sha1()
method that performs hash calculation:
String salt = generateLongRandomString();
String hashToStore = sha1(sha1(password) + salt);
- Now, we need to store in database at least three fields for each user:
username
or something similar, maybeemail
;hashToStore
;salt
;
Ok, next step is authentication.
- User wants to authenticate and send you his password.
- You retrieve stored hash and salt for this user, searching by username or email;
- You recalculate hash using the formula I wrote above and compare it with the stored value. If it matches, the user is authentic and you may inform his/her about it.