Reputation:
Hashing and salting a password, then trying to get the unhashed password later
I have created a utility class for hashing and salting passwords. Then I store the user's password in a SQL database in the user table. I want to use EL to pull the password from the database, decrypt it and display it in a JSP. How do I decrypt the password that I retrieve back from the database? Here is the utility class:
public class PasswordUtil {
/* This code uses SHA-256. If this algorithm isn't available to you,
you can try a weaker level of encryption such as SHA-128.
*/
public static String hashPassword(String password)
throws NoSuchAlgorithmException {
MessageDigest md = MessageDigest.getInstance("SHA-256");
md.reset();
md.update(password.getBytes());
byte[] mdArray = md.digest();
StringBuilder sb = new StringBuilder(mdArray.length * 2);
for (byte b : mdArray) {
int v = b & 0xff;
if (v < 16) {
sb.append('0');
}
sb.append(Integer.toHexString(v));
}
return sb.toString();
}
public static String getSalt() {
Random r = new SecureRandom();
byte[] saltBytes = new byte[32];
r.nextBytes(saltBytes);
return Base64.getEncoder().encodeToString(saltBytes);
}
public static String hashAndSaltPassword(String password)
throws NoSuchAlgorithmException {
String salt = getSalt();
return hashPassword(password + salt);
}
public static void checkPasswordStrength(String password) throws Exception {
if (password == null || password.trim().isEmpty()) {
throw new Exception("Password cannot be empty.");
} else if (password.length() < 8) {
throw new Exception("Password is to short. " +
"Must be at least 8 characters long.");
}
}
public static boolean validatePassword(String password) {
try {
checkPasswordStrength(password);
} catch (Exception e) {
System.out.println(e.getMessage());
return false;
}
return true;
}
}
Here is the JSP (just the table from the JSP for brevity) I want to display the decrypted password on:
<table>
<tr>
<td class="alignRight">First Name:</td>
<td>${user.firstName}</td>
</tr>
<tr>
<td class="alignRight">Last Name:</td>
<td>${user.lastName}</td>
</tr>
<tr>
<td class="alignRight">Phone Number:</td>
<td>${user.phone}</td>
</tr>
<tr>
<td class="alignRight">Address:</td>
<td>${user.address}</td>
</tr>
<tr>
<td class="alignRight">City:</td>
<td>${user.city}</td>
</tr>
<tr>
<td class="alignRight">State:</td>
<td>${user.state}</td>
</tr>
<tr>
<td class="alignRight">Zipcode:</td>
<td>${user.zip}</td>
</tr>
<tr>
<td class="alignRight">Email:</td>
<td>${user.email}</td>
</tr>
<tr>
<td class="alignRight">Your user name is:</td>
<td>${user.userName}</td>
</tr>
<tr>
<td class="alignRight">Temporary password:</td>
<td>${user.password}</td>
</tr>
</table>
Upvotes: 0
Views: 1644
Answers (2)
Reputation: 183
Being unable to do this is the entire point of hashing passwords. (Note that you're not storing the users' passwords; you're storing the hashes.)
But if you're dead-set on it, you could try creating your own rainbow tables using your salt.
Upvotes: 0
Reputation: 1391
You can't.
As I see it, you're using the one-way hash function SHA-256. The idea of a one-way hash function is that it only goes one way; you can't undo the hash.
You'll have to look at a "two-way hash function" (encryption/decryption), if you want to be able to revert your "digested" password stored in the DB. As Elliott Frisch says, it sounds like a really bad idea to me, though.
Upvotes: 1
Related Questions
- How can I hash a password in Java?
- Hashing and Salting Passwords with Spring Security 3
- Hashing in Java -> Get password from hash & salt
- Java salted password hashing
- Password encryption/decryption in Java
- Store and validate hashed password with salt
- hashed password
- Hashing password using salt
- MD5 Hash in JSP for password - generates random hash each time
- Password Hash method in Java