Password Encryption 3 approaches

Question

On one side I have: http://forums.enterprisedb.com/posts/list/2481.page Here we declare field as BYTEA and we can decrypt it and encryption is on db level.

On the other side: https://www.owasp.org/index.php/Hashing_Java Here as varchar and we only compare hashes to authorize.

Finally Spring gives http://static.springsource.org/spring-security/site/docs/3.1.x/apidocs/org/springframework/security/crypto/password/StandardPasswordEncoder.html + char secret value applied is the same for every password?

Which is the best approach? (I lean towards Spring since as I understand it encapsulates similar logic as OWASP in few lines of code?)

Answer 1

PostgreSQL encoding:

• Your application probably will depend on PostgreSQL and maybe you have to rewrite this part if you want to use it with another DBMS.
• If the PostgreSQL is on another machine you should consider using some form of secure communication between the application and the DBMS because the passwords are transferred between them as plain text.

OWASP vs Spring:

• They are very similar.
• Both use salt.
• Spring use a secret (Owasp not).
• Of course you could modify Owasp to use a secret if you need that or you can use the StandardPasswordEncoder without secret.
• Spring's encode() returns only one string which contains the salt too (as usual in unix/linux) while Owasp requires an additional database attribute for the salt value.
• Spring is simpler and maybe it's better maintained than the Owasp web article from 2008.
• Owasp mixes functionalities: it encodes/checks the passwords and contains a lot of JDBC code too.
• Spring just encodes/checks the passwords and your responsibility is the password storage. But maybe your framework does that for you or you could write it for yourself.

I'd use StandardPasswordEncoder. It's more simple and does the same as Owasp.