CODEWITHSUNDEEP
javaspringspring-security
Ramanathan
Ramanathan

Reputation: 51

Password encryption in Spring MVC

I am using Spring MVC and I want to encrypt the password that gets saved in dB, I had a look into other threads and they suggest going with MD5. Is it a good practice to go with MD5 or is there any other method in Spring to achieve it?

Upvotes: 4

Views: 10999

Answers (4)

bhrt
bhrt

Reputation: 72

Can you clarify if you are looking for Spring Security or Spring MVC. Your question title is ""Password encryption in "Spring MVC" whereas you have tagged the question for Spring Security.

Spring security suggests to use the following org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder

http://docs.spring.io/spring-security/site/docs/4.2.1.RELEASE/reference/html/core-services.html#core-services-password-encoding

Upvotes: 1

Naresh Joshi
Naresh Joshi

Reputation: 4597

You can use BCryptPasswordEncoder to encode your password, in order to do that you will need to create a bean of this class.

@Bean
public PasswordEncoder passwordEncoder() {
    return new BCryptPasswordEncoder();
}

And while registering (saving new user to database) your user, you can auto wire PasswordEncoder and call encode method to encode your password

@Autowired PasswordEncoder passwordEncoder;

public User registerUser(User user){
   // other logic

   String encryptedPassword = passwordEncoder.encode(user.getPassword());
   user.setPassword(encryptedPassword);

   //logic to save the user to DB
}

Upvotes: 2

Leon
Leon

Reputation: 12491

Don't use MD5, the problem with MD5 hashing is that it is relatively quick to do and if someone gets hold of the hashes they can brute force it pretty easily. There are also rainbow tables which are lists of passwords with their associated MD5 hashes.

As @Jan Nielsen suggests, BCrypt is far superior. I personally use PBKDF2. Both these approaches work by using a random salt while generating the hash. In the database you store the salt and the hashed password. I like to go one step further and also store the number of iterations that was used to create the hash.

Here is a good blog on password encryption that covers the details in more depth with code samples. https://crackstation.net/hashing-security.htm

Upvotes: 1

Jan Nielsen
Jan Nielsen

Reputation: 11849

No; use BCrypt -- available in Spring with BCryptPasswordEncoder.

Upvotes: 0

Related Questions