4 Replies Latest reply on Jul 31, 2007 10:54 PM by blackers

    Storing Password as MD5 Hash

    blackers

      Is it possilbe to use EJB3 and be able to store my password as a MD5 hash instead of in plain text?

      I have tried

      
      @Column(name = "password", nullable = false, length = 255)
       @NotNull
       @Length(max = 255)
       public String getPassword() {
       return this.password;
       }
      
      
       public void setPassword(String password) {
       this.password = Util.createPasswordHash("MD5", Util.BASE64_ENCODING, null, null, password);
       }
      
      


      However the correct password is not stored, I guess the problem is if the setPassword is called more than once I am getting the Hash of the Hash.



        • 1. Re: Storing Password as MD5 Hash

          It is common to put the encryption method into curly brackets and prepend that to the hash to show whether it is plaintext or a hash.


          Regards

          Felix

          • 2. Re: Storing Password as MD5 Hash
            karl.martens

            An alternative to appending something to the encrypted password string that you can check to determine if the password requires encryption or not is to change the access method from PROPERTY to FIELD (map the fields instead of the getter method).

            This will allow the persistence provider to inject the value as stored in the database on the field and allow you to define behaviour to the getter and setter methods independently; allowing you to encrypt the data. Each entity can only have a single access method; so you'll have to make the same change for all your mapped columns in this entity.

            For a two-way hash my preference is to create a user type that encrypts and decrypts the data as it is sent to or retrieved from the database. (Hibernate specific)

             @Column(name = "password", nullable = false, length = 255)
             private String password;
            
             public String getPassword() {
             return this.password;
             }
            
            
             public void setPassword(String password) {
             this.password = Util.createPasswordHash("MD5", Util.BASE64_ENCODING, null, null, password);
             }
            


            • 3. Re: Storing Password as MD5 Hash
              genman

              What I have often done with entities is create a setter, such as "setUnencryptedPassword" and made a getter (dummy) that is marked @Transient.

              • 4. Re: Storing Password as MD5 Hash
                blackers

                Thanks for all your help. I have used Karl's method and it is now working as I would have liked.