Encryption of User Passwords
Posted by: Chyne on: January 30, 2008
The best method to encrypt user password is using one-way techniques, which is, digest algorithm. This is because encrypted password that is using digest algorithm cannot be decrypted. A two-way technique such as password-based encryption will be a risk because once the attacker knows the encryption password, the user password will be revealed. In summary, if the encrypted password cannot be decrypted, there is no risk for the password to be revealed to the attackers. Since the password cannot be decrypted in digest algorithm, the user cannot get his/her password if they lose it. The password has to be set to a new value and requires the system administrator to email them as well as requires them to change the reset password.
The Commonly Used Digest Algorithm
- MD5 algorithm
- SHA family: SHA-1 algorithm and SHA-2 variants (SHA-224, SHA-256, SHA-384 and SHA-512)
Character Strings and Byte Sequence
Of course, the users usually enter their password in character string. How are we going to validate whether their password is valid or invalid? In order to perform the validation, we need to compare the digests and not the unencrypted strings.
Another issue is two identical strings may be appeared in different byte sequences since it depends on the encoding for the translation such as UTF-8, Unicode, ISO-8859-1, and so on…. Why do we need to care about the different encoding type for the translation? This is because passwords in digest algorithm are in byte format whereas user input is in character string.
How to Solve the Problem of Password Encoding?
In order to solve the problem, we need to perform the string-to-byte sequence translation by using a fixed encoding. The most commonly used encoding will be UTF-8 and most of the Linux systems use UTF-8 as a default encoding. Since the sequence of bytes does not represent a valid character string in any encoding, we need to encode the digested sequence of bytes in BASE64. In this way, the byte sequence represents a valid, displayable, US-ASCII character string.
Further reading:-
http://www.jasypt.org/howtoencryptuserpasswords.html
Leave a Reply
Search
- The BASEDIR environment variable is not defined correctly. This environment variable is needed to run this program
- The Reason behind Oracle 11g: SEVERE: Error while registering Oracle JDBC Diagnosability MBean
- How to Reset Postgres Forgotten Password?
- Installation of Subversion 1.6.5 on Ubuntu 8.10
- Why Windows Subsystem Process Terminated Unexpectedly?
- Chapter 7: Arrays (Exercise 7.13)
- Installation of Bugzilla in Ubuntu Environment
- Too many open files
- Chapter 7: Arrays (Exercise 7.12)
- Cannot convert value '0000-00-00 00:00:00' from column XX to TIMESTAMP
- blackhawk: Nice tip -- thanks for sharing
- steven: -hlocalhost can be omitted for localhost
- Tony Locke: Thanks, it worked!
RSS - Posts