There are few common questions comes to the mind, while adding authentication feature to the application.
1. Our Database server is secure, what is the harm if I store password in plain text?
There are many reasons why you should not store password in plain text,
If your application is not serving valuable / confidential / sensitive information, you may choose to take a risk to store password in plain text. But what, if your application is serving valuable information like banking & finance, confidential information like tender related documents etc., you would not like any unauthorised person to view/update/delete such valuable data.
Even if you feel your database server is secure OR it’s not directly connected to Internet, OR it’s protected by firewall. Still there are many ways to hack the information, which we are not going to discuss here.
It’s very easy for database administrator to easily access username/password information stored in plain text format from the database and may start misusing it.
2. How to secure a password being stored in database table?
Hashing and Encryption are the useful techniques to secure the password being stored in to the database.
Hashing – is also known as a one way hash OR Message Digest. Hashing is the one way process which generate fixed length representation of the supplied content, if content is changed the hash will be changed. As it is one way process, hash can be generated from the content but the original content cannot be retrieved back from the hash.
Encryption – is process to convert the original content to the unreadable form, this process is reversible & the reverse process is known as decryption.
I would strongly recommend using one way hash to secure the password storage, until and unless you have a specific requirement to retrieve the original password back from encrypted password.
In next post we’ll have detailed discussion about how to implement one way hashing technique in the application to secure the password being stored in the database. I‘ll also post some sample java code to generate one way hash.
No comments:
Post a Comment