postgresql: how to store a user password?

Question

I'm using play-framework 2.0 (java web-framework) with postgresql.

1. what encryption type for a user's password is the most common today? I understood that MD5 has been abounded in the last few years.
2. what is the right data-type for field "password" in User class (and therefore, in the postgresql DB)?

thanks

Answer 1

I used jBcrypt together with Play framework internal Crypto ( got idea from here: https://groups.google.com/forum/?fromgroups#!topic/play-framework/9KIUwWBjudQ[1-25] )

Also when I added registration for users I made sure that password has some level of complexity (at least 8 marks of miminum, big letter, one number). etc. you name it basically? But just wanted to point out that security is not just about encrypting, half of the cake is making sure that users will use complex passwords :)

Answer 2

You should use the SHA-x algorithm to hash the password. This is more or less the replacement hash function of MD5.

MessageDigest.getInstance("SHA-512").digest(toBytes(toDigest)))

But be careful, add a salt to the password before hashing it to avoid an hash table attack.

The DB column should be a varchar. The length depends on the version you use of the SHA algorithm

HIH

Answer 3

You want to hash the password, not encrypt it (See this question for more details). The current recommended approach is to use an adaptive hashing algorithm, like bcrypt. jBcrypt is a solid Java implementation that you can use.

As for DB type, you can safely just treat it as a string.