How to encode Jaysypt password

Question

At the moment I am maintaning my jsypt entry as below. I have seen in some example instead of placing the plain text it uses ENC(G6N718UuyPE5bHyWKyuLQSm02auQPUtm).

 <bean id="strongEncryptor"   class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">
<property name="algorithm">
  <value>PBEWithMD5AndTripleDES</value>
</property>
<property name="password">
  <value>jasypt</value>
</property>
</bean>

Please provide me steps to make it ENC(G6N718UuyPE5bHyWKyuLQSm02auQPUtm). how to get the value G6N718UuyPE5bHyWKyuLQSm02auQPUtm related to my password

Answer 1

If this is a server-side application, then all passwords should be stored as password hashes. You should NEVER store a password in the clear. You should salt the password before you hash it to add security.

Also, you should not encrypt clear text passwords. This is because if the attacker exploited your machine, chances are, they already have the encryption key you used to encrypt the passwords. Hashing is safer because you cannot 'unhash' a password.

My recommendation:

String password = hashFunc(password + username + salt);

Then store the passwords like that. Use SHA-2 hashing for reliable security.

That way when you recieve a password from your client, all you have to do is hash the password and compare the hashes.