Login password in SH256 Java

Question

In my java application, my passwords are sent encrypted to the data base in a HEX representation generated from a SH256. I am confused on how to determine if a user has the correct password when logging in. If anyone can point me in the right direction it would be appreciated.

Thanks

SHA256 is hashing and not encryption. Some information can be found [here](https://stackoverflow.com/questions/4948322/fundamental-difference-between-hashing-and-encryption-algorithms). Regarding what you are asking, you would be expected to hash the user's password and then compare it against the value in database. — Ravindra HV, Oct 18 '19 at 23:51

Luke · Answer 1 · 2019-10-18T22:32:00.570

0

The correct way is to get password from front-end, encrypt it with same algorithm and compare the encrypted way with stored password.

edited Oct 18 '19 at 22:32

answered Oct 18 '19 at 21:56

Luke

516
2
10

so If I use the same method each time for the encryption, then they will match? – James_B Oct 18 '19 at 22:02
Yes. Same string will peoduce the same encrypted value. – Luke Oct 18 '19 at 22:03
Everything about this answer is bad advise. MD5 is insecure and obsolete. MD5 is not an encryption algorithm but a hash algorithm. Use more secure hash algorithms, like SHA256 (which i suspect OP means with SH256). The front end should not hash the password. The connection between the client and server should be secured (https). The password sent as it is. The back end should then hash the password and compare the stored hash for the user. – Sani Huttunen Oct 18 '19 at 22:27
Is what i said in previous answer but he downvoted it so i changed it to this one. Go to check the answer history. I don't know why he downvoted the previous answer. – Luke Oct 18 '19 at 22:30
@Luke: Well... Why change a bad answer to a worse? – Sani Huttunen Oct 18 '19 at 22:31
I changed to original answer – Luke Oct 18 '19 at 22:32
Still not a good answer since there is no encryption going on. Only hashing of passwords. – Sani Huttunen Oct 18 '19 at 22:32
The concepts of encryption and hashing are very different. Applying that on passwords there are severe security issues if using enryption instead of hashing. – Sani Huttunen Oct 18 '19 at 22:36
firstly, sorry i did not mean to down vote it. I am only using SH256 as it was assigned to me by a prof with no info on how to do it and all the online documentation I can find just says its obsolete and closes the tread. Thanks anyway. – James_B Oct 18 '19 at 22:37
I am not talking about hashing or encrypting. I am talking about action to do if you want to compare encrypted/hashed password with one other not encrypted/hashed received password. – Luke Oct 18 '19 at 22:40

gusto2 · Answer 2 · 2019-10-28T11:32:27.390

Default and the most secure way to store and validate user passwords we have today is "salted slow hash". (simple hash may not be good enough)

This is one of the clearest article why and how https://nakedsecurity.sophos.com/2013/11/20/serious-security-how-to-store-your-users-passwords-safely/

encrypted to the data base in a HEX representation generated from a SH256.

Lets asume you mean the password is hashed using SHA-256. As already commented, there is difference between encryption and hashing and in this domain you need to be clear

I am confused on how to determine if a user has the correct password

select salt stored along the hash of the the user password
Hash the user provided password (provided at logon) with the salt
select a user record from db where username and the password hash match

score 0 · Answer 3 · answered Dec 13 '19 at 10:07

You should store the password in a hashed form. In that way you won't be able to reverse engineer it to get the original password. Now you might ask why do a one-way hash for storing a password? The thing is, you don't want anyone to reverse engineer your data in your db. Even if someone has an access to your DB they still won't be able to know the actual password. Now talking about how to verify the password if you yourself can't get the Original password.

The thing is, you don't have to. You just have to let the user enter his password, the you hash the entered password (And since a hash on same data will always generate same hash) you can easily verify whether the password entered by the user and hashed by you matches the already hashed and stored password.

In simpler means you have to take a password p and store it in DB as hashed password hashed_p while registration. Now while you want to login or verify the password you again ask the user to enter the password. Now you will hash password p entered by the user and generate a hashed password hashed_p. And then you will compare this hashed_p with the hashed password hashed_p on your database.

So to verify you will have to check if the hash of the password entered by the user is equal to the hash of the password stored in DB. That's how hashing of a password works.

Login password in SH256 Java

3 Answers3