I can't log-in because I used aes_encrypt for my password field

Question

I'm practicing programming using Java and MySQL using NetBeans IDE. I can log-in my application using the code below. But if I will encrypt my password using the aes_encrypt feature of MySQL, I don't know how to decrypt it. I know there is aes_decrypt but I had a hard time with the syntax.

private void btnLoginActionPerformed(java.awt.event.ActionEvent evt) {                                         
    if(lblUsername.getText().length()==0)  // Checking for empty field
        JOptionPane.showMessageDialog(null, "Empty fields detected ! Please fill up all fields");
    else if(password.getPassword().length==0)  // Checking for empty field
        JOptionPane.showMessageDialog(null, "Empty fields detected ! Please fill up all fields");
    else{
        String user = lblUsername.getText();   // Collecting the input
        char[] pass = password.getPassword();
        String pwd = String.copyValueOf(pass);  // converting from array to string
        if(validate_login(user,pwd)){
            JOptionPane.showMessageDialog(null, "Correct Login Credentials");
            MainStudentRecord mainstudentrecord = new MainStudentRecord();
            mainstudentrecord.setVisible(true);
            this.dispose();
        }
        else{
            JOptionPane.showMessageDialog(null, "Incorrect Login Credentials");
            lblUsername.setText("");
            password.setText("");
        }
    }


}                                                

private boolean validate_login(String username,String password) {
    try{           
        Class.forName("com.mysql.jdbc.Driver");  // MySQL database connection
        Connection conn = DriverManager.getConnection("jdbc:mysql://localhost:3306/studentrecord","neil","basabe");     
        PreparedStatement pst = conn.prepareStatement("Select * from user where username=? and password=?");
        pst.setString(1, username); 
        pst.setString(2, password);
        ResultSet rs = pst.executeQuery();                        
        if(rs.next())            
            return true;    
        else
            return false;            
    }
    catch(Exception e){
        e.printStackTrace();
        return false;
    }           
}

Here is my table definition:

username varchar(16) 
password varchar(16)

to:

username varchar(16)
password blob --------- this is for me to use aes_encrypt

I know this is the part that I should edit:

PreparedStatement pst = conn.prepareStatement("Select * from user where username=? and password=?");

to:

PreparedStatement pst = conn.prepareStatement("Select * from user where username=? and password=_______this is the confusing part_________");

Please help!

Answer 1

There are multiple issues here. I'll address the one that you have identified first:

You have transformed the password in some way to store it in the database. Perform the same transformation on it to determine if it is stored there rather than trying to reverse the transformation on the data you have stored.

The transformation you have used is a reversible encryption. You should store your passwords non-reversible hash (and salt) of the (salted) password. It is a good idea for this to be a computationally expensive operation, considering both time and space. Using something like scrypt to generate the password hashes helps to meet that requirement.

How to store passwords is a topic that I won't go in to any further. However, if it is possible not to store password data at all and use a third party (think all of those websites that allow you to log in with google/facebook/twitter/etc ... just like this one does), do that, they're much more likely than you to get secure password storage correct.