简单的密码加密 - 我该怎么办？ [英] Simple password encryption - how do i do?

问题描述

如何进行简单的密码加密进入数据库？我需要这个来保持我的工作！

How do I make a simple password encryption to go into a database please? I need this to keep my job!

基本上，我需要代码来执行以下操作：
编辑

Basially I need the code to do something like: EDIT

我的本​​地PC上有一个名为Usernames的MySQL表。

I have a MySQL Table called "Usernames" on my local PC.

它有以下列：

• ID


• 用户名


• 密码


• 帐户类型

• ID
• Username
• Password
• Account Type

此表用于登录应用程序，我需要一种安全的方式来存储密码。任何人都可以帮忙吗？

This table is used to log into the application, and I am in need of a secure way of storing the password. Can anyone help?

推荐答案

将来，我建议您不要先求出一些代码，

In future, I'd suggest you refrain from begging for answers without first showing some code you've tried.

说的话，我会咬。

import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SecureRandom;

public class EncryptHelper
{
    public static String ehashAndSalt(String passedpass) throws NoSuchAlgorithmException, NoSuchProviderException
    {
        String passwordToHash = "password";
        String salt = getSalt();

        String securePassword = getSecurePassword(passwordToHash, salt);

        return securePassword;
    }

    private static String getSecurePassword(String passwordToHash, String salt)
    {
        String generatedPassword = null;
        try
        {
            // Create MessageDigest instance for MD5
            MessageDigest md = MessageDigest.getInstance("MD5");
            //Add password bytes to digest
            md.update(salt.getBytes());
            //Get the hash's bytes
            byte[] bytes = md.digest(passwordToHash.getBytes());
            //This bytes[] has bytes in decimal format;
            //Convert it to hexadecimal format
            StringBuilder sb = new StringBuilder();
            for(int i=0; i< bytes.length ;i++)
            {
                sb.append(Integer.toString((bytes[i] & 0xff) + 0x100, 16).substring(1));
            }
            //Get complete hashed password in hex format
            generatedPassword = sb.toString();
        }
        catch (NoSuchAlgorithmException e)
        {
            e.printStackTrace();
        }
        return generatedPassword;
    }

    //Add salt
    private static String getSalt() throws NoSuchAlgorithmException, NoSuchProviderException
    {
        //Always use a SecureRandom generator
        SecureRandom sr = SecureRandom.getInstance("SHA1PRNG", "SUN");
        //Create array for salt
        byte[] salt = new byte[16];
        //Get a random salt
        sr.nextBytes(salt);
        //return salt
        return salt.toString();
    }
}

这是一个很好的和简单的帮助类，盐功能。在用户验证用户时，请务必使用与创建用户相同的salt字符串，否则认证失败。

Here's a nice and simple helper class for a hash/salt function. Just be sure to use the same "salt" string created when the user was created for when you authenticate the user, otherwise the authentication will fail.

我发现使用哈希/盐功能而不是加密更安全，因为加密可以用正确的公钥/私钥打破。

Where passwords are concerned, I find it safer to use a hash/salt function rather than encryption, as encryption can be broken with the correct public/private key.

您可以找到更多关于Java本机加密此处

You can find more information on Java's Native encryption Here.

编辑

as @james large指出，你应该随便吃盐。我已经修改了代码来显示这个。

As @james large pointed out, You should randomise the salt. I've amended the code to show this.

上面例子的来源： HowToDoInJava

I然后建议您在创建新用户时将盐和加密密码传递给数据库，然后获取包含salt和密码的结果集，并将其输入到与 getSecurePassword（）并使用这个结果作为验证。

I would then suggest you pass the salt and encrypted password to the database when creating new users, and then getting a resultset containing the salt and password and feeding it into a similar method to getSecurePassword() and using the outcome of this as a validation.

我希望这有帮助！

编辑 - 2

将另一行插入您的表中，名为salt（或任何您喜欢的），并插入一个新的用户与PreparedStatement，像这样：

Insert another row into your table called "salt" (or whatever you like), and insert a new user with a PreparedStatement, like so:

PreparedStatement pstmnt  = connection.prepareStatement
("insert into Usernames(`ID`,`Username`,`Password`,`Account type`, `salt`) values (?,?,?,?,?,)");
pstmnt.setInt(1, id); //would ideally be auto-incremented
pstmnt.setString(2, user); //user String obtained by any means
pstmnt.setString(3, securePassword); //from the hash/salt example above
pstmnt.setString(4, accType); //whatever naming structure you have for account types
pstmnt.setString(5, salt); //from the above example also.
pstmnt.executeUpdate();

这篇关于简单的密码加密 - 我该怎么办？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！