Reputation: 20150
Saving Password with Md5
I am using Postgresql,hibernate and Java and I need to store a password. Can someone suggest me how to encrypt the password with md5. Else is there a better way to store secure password in the database
Thanks
Upvotes: 5
Views: 8931
Answers (6)
Reputation: 838156
MD5 isn't an encryption algorithm - it is a cryptographic hash function. This is very different! You can store the hashed password in the database, but you cannot (in general) recover the password from the password's hash. This is by design.
In some cases it is possible to get the password back from the hash - for example if the password is a dictionary word it could be recovered using a dictionary attack. If the password is short enough and uses a characters from a limited range a brute force or rainbow table attack could recover the password. When you store a hashed password you should use a salt and key strengthening (for example PBKDF2) to make these attacks more difficult.
You should also be aware that MD5 is considered broken and it is recommended not to use it for new applications. There are better alternatives, for example SHA-256.
Upvotes: 5
Reputation: 1155
You shouldn't use md5 for password hashing. It's built for speed which makes it easier to attack. Use bcrypt instead. Also, you're not supposed to try to decrypt the password after it has been stored. See the examples on the bcrypt page for how to verify a password from user input. More information on how to store passwords safely.
jBcrypt is real simple to use too. Here's how you hash a password:
BCrypt.hashpw(password_from_user, BCrypt.gensalt());
And to verify it:
BCrypt.checkpw(password_from_user, hashed_password_from_database)
Upvotes: 9
Reputation: 405745
If you're going to use a hashing algorithm, you don't (can't) decrypt the password. You hash the password and store the hash. When the user provides their password in the future, you hash it with the same algorithm and compare the new hash with what you stored before.
You can use the MessageDigest class in Java to hash a value. Ref: Get MD5 hash in a few lines of Java.
Edit: Also, I agree with the others who are saying not to use MD5 for this anymore. It's an old algorithm that used to be common, but it's been attacked to the point of worthlessness (for passwords). There are all sorts of resources online for MD5 reverse lookup.
Upvotes: 2
Reputation: 1234
1) There is no decrypt for MD5.
2) MD5 is old technology which is excellent for checking to see if two strings are the same.
3) MD5 is subject to dictionary assaults.
4) MD5 can be made more secure by using a salt.
5) We use MD5 for low level security because the hash can be easily duplicated across platforms. (C++, vb.net, VB6, C#, php ...)
Upvotes: 3
Reputation:
You can do it in postgres if you install the pgcrypto contrib module.
You can then encrypt passwords like this:
update ... set passwordhash = crypt('new password', gen_salt('md5'));
Of course you can't decrypt it at all!
As others have pointed out, this may be a bad idea, depending on what you are trying to do. I've been forced to use MD5 before because another application has demanded it, but you don't want to be broadcasting that hash to the world.
Upvotes: 0
Related Questions
- Java + MySQL: Do i have a good way to encrypt a password?
- How to match original password with encrypted password entry in database on login
- Password Encryption and store in database
- How to store password encrypted in database?
- Password encryption in Java using MD5 and Salt
- Password Encryption
- encrypt database username and password in java?
- Using passwordField to connect to mySQL
- How to rehash password which is stored in database using MD5?
- Secure database password using a SQL connection