Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Password Encryption and Decryption Using jBCrypt

DZone's Guide to

Password Encryption and Decryption Using jBCrypt

Looking to create a great password for your sensitive files? Read on to learn how to generate a random password and and how to hash that password.

· Security Zone
Free Resource

Discover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.

In this article, we will take a look into how to generate random passwords that have alphanumeric and special characters and encrypt it using the one-way hash algorithm, jBCrypt.

Generating a Random Password

I'll use the Passay library to generate random passwords having alphanumeric and special characters. The following code block is a sample code to generate a random password using the Passay library. It also allows you to configure the character length of the resultant password.

public String generateRandomPassword() {

List rules = Arrays.asList(new CharacterRule(EnglishCharacterData.UpperCase, 1),
new CharacterRule(EnglishCharacterData.LowerCase, 1), new CharacterRule(EnglishCharacterData.Digit, 1),new CharacterRule(EnglishCharacterData.Special, 1));

PasswordGenerator generator = new PasswordGenerator();
String password = generator.generatePassword(8, rules);
return password;
}

You can find more reference example of using Passay here - Random Password Generator

Once any random alphanumeric password is generated, we'll use jBCrypt to encode it.

Password Hashing Using jBCrypt

jBcrypt is a one-way password hashing algorithm based on the Blowfish cipher that uses an adaptive hash algorithm to store passwords. BCrypt internally generates a random salt while encoding passwords and hence it provides a different encoded result for the same string. But one common thing is that every time it generates a String of length 60.

The following code is the implementation to encode a string using jBCrypt:

private String hashPassword(String plainTextPassword){
    return BCrypt.hashpw(plainTextPassword, BCrypt.gensalt());
} 

Once the password is hashed we can save it to DB and whenever there is a need to match the plain text password with this hashed password saved into the DB, we can do the following:

private void checkPass(String plainPassword, String hashedPassword) {
if (BCrypt.checkpw(plainPassword, hashedPassword))
System.out.println("The password matches.");
else
System.out.println("The password does not match.");
}

Storing plain-text password in DB is always vulnerable to security. Hence, we can use the above implementations to save a hashed password to the database instead of saving a plain text password.

Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.

Topics:
java ,password storage ,password security ,random string

Published at DZone with permission of Dhiraj Ray. See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}