encrypting password with Java library jasypt digest

Question

I'm working on a group project that will have user accounts. Right now I'm trying to figure out how to encrypt, store, and check passwords. We have already implemented storing the passwords, but not yet encrypting them and then storing them. I'm using the Java library Jasypt, more specifically I'm using their StandardStringDigester class.

My problem is that whenever I digest the same string it comes out differently. The only way I can find to accurately check if a string matches a digested string is to use the Digesters Match method. This method requires two arguments, the unencrypted password string, and the digested one. As far as I'm aware, however, validation should never been done on the client side, and the server side should never see the undigested password. So how do I digest a password, send it to the server, then check if it matches the stored (also digested) password for that user?

Answer 1

To securely store the password, you should understand how and why, you may seach the forum a little, there are many resources about this topic.

This is one of the more comprehensive: https://crackstation.net/hashing-security.htm

My problem is that whenever I digest the same string it comes out differently.

As far I know the StandardStringDigester uses salt to hash the input. It means the digest comes out randomized every time. It is how it should be.

So how do I digest a password, send it to the server,

you send the password cleartext to the server, the TLS (HTTPS) should take care if integrity and confidentality

then check if it matches the stored (also digested) password for that user?

I believe you are looking for the matches method: matches(String message, String digest) The Jasyp should take the salt, create a new digest with the same salt. If I am wrong, please correct/comment