matching user's password from record in db

In my web app which uses servlets and hibernate. I need to authenticate a Customer who enters a password.

If he is already in database, I need to check if his password matches that of the record in db.For a new Customer, I want to take a password and create a record for him. I tried to do it this way for the scenarios.

Existing Customer enters an emailAddress and password

String email = req.getParameter("emailAddress");
String password = req.getParameter("password");
Customer cust = dao.findByEmailAddress(email);

Now, how do I check if this cust object is associated with a password and that matches what the user entered? Manning's hibernate book example stores password as a String in Customer class. Is this a good idea? How will this be stored in database?

When using hibernate, how can this be handled? I have heard people mentioning about storing passwords as hash. But I am not very sure how I can do this in my app.

Can someone tell me how I can开发者_运维知识库 tackle this?

---

Storing plain text passwords is never a good idea. In fact it is listed as #8 threat in the Top 25 Most Dangerous Software Errors.

You need to encrypt the passwords before writing them in the database. When searching for a user use the encrypted password

String email = req.getParameter("emailAddress");
String password = req.getParameter("password");
String encryptedPassword = MD5Helper.hashPassword(password)
Customer cust = dao.findByEmailAddressAndPassword(email, encryptedPassword);

You can use something like this to encrypt the passwords using the MD5 algorithm.

public class MD5Helper {

    private static final int MD5_PASSWORD_LENGTH = 16;

    public static String hashPassword(String password) {
        String hashword = null;
        try {
            MessageDigest md5 = MessageDigest.getInstance("MD5");
            md5.update(password.getBytes());
            BigInteger hash = new BigInteger(1, md5.digest());
            hashword = hash.toString(MD5_PASSWORD_LENGTH);
        } catch (NoSuchAlgorithmException nsae) {
            // handle exception
        }
        return hashword;
    }
}

---

You have to decide how to store passwords. If you store them as a String in a Hibernate entity, they will be stored in a varchar in database, in clear text. Anyone having access to the database will thus be able to see them. Authenticating in this case consists in comparing the sent password with the one in database.

There are two other possibilities

The first one consists in encrypting them with a secret key before storing them in database. But this secret key will have to be stored somewhere in order for your application to decrypt them and compare the decrypted password with the one sent by the user. But it could at least reduce the visibility of the password only to the persons having acces to the application deployment directory. Authenticating in this case consists in decrypting the password stored in database with the secret key, and compare it with the password sent by the user. If they are equal, then the user sent the correct password.

The last possibility would be to use a one-way hash algorithm (like SHA-1, for example), also known as message digest algorithm. This way, there is no need for a secret key, and it would be very hard (read : nearly impossible) for anyone to get access to the password (if the password is salted). The drawback of this solution is that if a user looses his password, you won't be able to send him. The only possibility is to reset him to a new value, send this new password to the user and ask him to choose a new one. Authenticating the user, in this case, consists in hashing the password he sends and comparing with the hash stored in database.

Read http://en.wikipedia.org/wiki/Salt_(cryptography) for more detailed explanations.

---

Usually password are stored encrypted in a database and you have to encrypt the input password to check if it matches.

String passwordEncrypted = encrypt(password);

where encrypt is your function that crypt the password (you can try with MD5 or SHA-1, for example).

After you've retrieved your object cust, you can check if

if (cust.getPassword().equals(passwordEncrypted)) {
    // login successfull code
} else {
    // login failed code
}