如何在数据库中存储密码?
[英]how to store passwords in database?
问题描述
I use jsp and servlets in my web application. 
我在我的Web应用程序中使用jsp和servlet。 i need to store passwords in the database. 我需要在数据库中存储密码。 I found that hashing will be the best way to do that. 我发现哈希将是最好的方法。 I used this code to do it. 我用这个代码来做。
<%@page import="com.jSurvey.entity.*" %>
<%@page import="java.security.MessageDigest" %>
<%@page import="java.security.NoSuchAlgorithmException" %>
<%@page import="java.math.BigInteger" %>
<%@page import="com.jSurvey.controller.*" %>
<%@page import="sun.misc.BASE64Encoder" %>
<%try {
String user = request.getParameter("Username");
String pass = request.getParameter("Password1");
String name = request.getParameter("Name");
String mail = request.getParameter("email");
String phone = request.getParameter("phone");
String add1 = request.getParameter("address1");
String add2 = request.getParameter("address2");
String country = request.getParameter("country");
Login login = new Login();
Account account = new Account();
login.setId(user);
login.setPassword(pass);
if (!(add1.equals(""))) {
account.setAddress1(add1);
}
if (!(add2.equals(""))) {
account.setAddress2(add2);
}
if (!(country.equals(""))) {
account.setCountry(country);
}
account.setId(user);
account.setMail_id(mail);
if (!(phone.equals(""))) {
account.setPhone_no(Long.parseLong(phone));
}
account.setName(name);
java.security.MessageDigest d = null;
d = java.security.MessageDigest.getInstance("SHA-1");
d.reset();
d.update(pass.getBytes("UTF-8"));
byte b[] = d.digest();
String tmp = (new BASE64Encoder()).encode(b);
account.setPassword(tmp);
account.setPrivilege(1);
LoginJpaController logcon = new LoginJpaController();
AccountJpaController acccon = new AccountJpaController();
logcon.create(login);
acccon.create(account);
session.setAttribute("user", user);
response.sendRedirect("dashboard.jsp");
} catch (NumberFormatException ex) {
out.println("Invalid data");
}
%>
When i tried to print the value of tmp, i get some other value.i guess its the hash value of the password. 当我试图打印tmp的值时,我得到了一些其他值。我猜它是密码的哈希值。 But when i persist this data to the database the original password gets saved there other than the value in tmp.. 但是当我将这些数据保存到数据库时,原始密码将被保存在那里,而不是tmp中的值。
I am using java derby as the database. 我使用java derby作为数据库。
What is the problem??? 问题是什么???
3 个解决方案
解决方案1
8 2010-06-03 07:01:46
Apache has a commons library, namely Commons Codec , that makes it easier to encode the password. Apache有一个公共库,即Commons Codec ,它可以更容易地对密码进行编码。 It will do the entire job for you. 它将为您完成整个工作。
import org.apache.commons.codec.digest.DigestUtils;
String pw = DigestUtils.sha256Hex(password);
Or if you want base64: 或者如果你想要base64:
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.codec.binary.Base64;
byte[] pwBytes = DigestUtils.sha(password);
String b64Pass = Base64.encodeBase64String(pwBytes);
解决方案2
5 已采纳 2010-06-03 06:33:00
- Add salt . 加盐 。 For example append the email to the password before hashing. 例如,在散列之前将电子邮件附加到密码。 This will prevent the usage of rainbow tables 这将阻止彩虹表的使用
- Make sure you use
tmpin yourINSERTquery, rather than the original password.确保在INSERT查询中使用tmp,而不是原始密码。 - Don't use
BASE64Encoder.不要使用BASE64Encoder。 It is part of Sun's internal libraries and is subject to change.它是Sun内部库的一部分,可能会发生变化。 Use commons-codec Base64使用commons-codec Base64
解决方案3
0 2010-06-03 06:50:36
Try this it should work. 试试这个它应该工作。
import java.math.BigInteger;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
public class MD5 {
public static void main(String[] args) {
try{
MessageDigest alg = MessageDigest.getInstance("MD5");
String password = "123456";
alg.reset();
alg.update(password.getBytes());
byte[] msgDigest = alg.digest();
BigInteger number = new BigInteger(1,msgDigest);
String str = number.toString(16);
System.out.println(str);
}catch(NoSuchAlgorithmException e){
e.printStackTrace();
}
}
} }
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.