Password encryption with Spring/Hibernate - Jasypt or something else? [closed]

Question

In a Java application stack with Spring & Hibernate (JPA) in the Data Access Layer, what are good methods of applying the password encryption (hopefully using annotations), and where can you find out more about getting it done (tutorial, etc)?

It's understood that I would use a JCA supported algorithm for encrypting the passwords, but I would prefer to not have to implement the wrapper logic if there is an easy way.

I was looking at Jasypt, and was a) wondering if that's a good option and how to do it and b) what else people are using for this. If anyone is using Jasypt or an alternative, details of your experience it would be great.

Answer 1

Java has all of the required libraries already provided for you. Simply create a utility method that implements hashing with a salt as described at OWASP.

If you really don't want to own that code and don't mind an extra dependency, it seems that the Shiro library (formerly JSecurity) has an implementation of what is described by OWASP.

It also looks like the JASYPT library you mentioned has a similar utility.

I realize that this answer doesn't mention Spring or Hibernate but I'm not clear how you are hoping to utilize them in this scenario.

Answer 2

You can use Jasypt with Hibernate to encrypt or hash your properties on the fly if thats what you're looking for. The actual algorithm for computing digests (hashes) is pretty simple using the JCE if you want to roll your own as well.

Answer 3

MD5 or SHA-256 would be fine, although MD5 is crackable now.

Maybe I misunderstood the problem, but it should be just comparing the hashed passwords.

In hibernate, just store as a String. On the validation side, have a method like:

public validate(String user, String pass)
{
    if(getUser(user).getPass().equals(getHash(pass)))
        return true;
    return false;
}

Answer 4

There doesn't seem to be a Hibernate specific way to do it with Jasypt, but you can set up a password encryptor in Spring:

  <!-- 
   Set up string digester here so we can configure it for more pools if it's a problem... 
  -->
  <bean id="stringDigester" class="org.jasypt.digest.PooledStringDigester">
    <!-- same settings as StrongPasswordGenerator -->
    <property name="poolSize" value="2"/>
    <property name="algorithm" value="SHA-256"/>
    <property name="iterations" value="100000"/>
    <property name="saltGenerator">
      <bean class="org.jasypt.salt.RandomSaltGenerator"/>
    </property>
    <property name="saltSizeBytes" value="16"/>
  </bean>

  <!-- ...and then we only have to deal with the passwordEncryptor interface in code. -->
  <bean id="passwordEncryptor" class="com.myproject.util.StringPasswordEncryptor">
    <property name="stringDigester" ref="stringDigester"/>
  </bean>

After that, you call context.getBean("passwordEncryptor") to get the encryptor, and then call either encryptPassword() or checkPassword().

Answer 5

If you are using Spring in your application, then you can also use Spring Security,which provides you with several password encoders, i.e. ShaPasswordEncoder You can find it on StackOverflow

Answer 6

I just use something similar to SHA-256(username + ":" + password + ":" + salt) and store it in the database in a 64-character column called passwd.

Wikipedia says, relating to salts: "Salt data complicates dictionary attacks that use pre-encryption of dictionary entries: each bit of salt used doubles the amount of storage and computation required. ... For best security, the salt value is kept secret, separate from the password database. This provides an advantage when a database is stolen, but the salt is not."

So to authenticate, get user from database with supplied username, then generate the same hash using the password provided via their login attempt, and compare to that in the database. Also add in some rate limiting for login attempts (e.g., 5 per 5 minute period). If the user forgets their password, NEVER email them the password (as you won't have it stored), nor email them a new generated password, but email them a link to change that password with a change password key/nonce/salt in the URL that you can check against.