4

I am using Spring MVC and I want to encrypt the password that gets saved in dB, I had a look into other threads and they suggest going with MD5. Is it a good practice to go with MD5 or is there any other method in Spring to achieve it?

Improve this question
1
  • 1
    if you are using spring-security you can use spring security password encoders and also can implements your own Commented Feb 24, 2017 at 5:13

4 Answers 4

Reset to default
2

You can use BCryptPasswordEncoder to encode your password, in order to do that you will need to create a bean of this class.

@Bean
public PasswordEncoder passwordEncoder() {
    return new BCryptPasswordEncoder();
}

And while registering (saving new user to database) your user, you can auto wire PasswordEncoder and call encode method to encode your password

@Autowired PasswordEncoder passwordEncoder;

public User registerUser(User user){
   // other logic

   String encryptedPassword = passwordEncoder.encode(user.getPassword());
   user.setPassword(encryptedPassword);

   //logic to save the user to DB
}
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks for your answer but I cannot understand, if I encrypted password by this way how the password can match when I trying to login ? Because if I'm not wrong 'BCryptPasswordEncoder' all time generating different value.By the way I'm new to Spring :)
When you are trying to login and if you are passing password to login method as a simple text, then you will need to call again the encode method on the password user have provided while logging and then compare
1

Can you clarify if you are looking for Spring Security or Spring MVC. Your question title is ""Password encryption in "Spring MVC" whereas you have tagged the question for Spring Security.

Spring security suggests to use the following org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder

http://docs.spring.io/spring-security/site/docs/4.2.1.RELEASE/reference/html/core-services.html#core-services-password-encoding

Improve this answer

2 Comments

I am looking for password encryption in Spring Security
Great, I have shared the relevant link from Spring reference pages. If you need any help add a comment.
1

Don't use MD5, the problem with MD5 hashing is that it is relatively quick to do and if someone gets hold of the hashes they can brute force it pretty easily. There are also rainbow tables which are lists of passwords with their associated MD5 hashes.

As @Jan Nielsen suggests, BCrypt is far superior. I personally use PBKDF2. Both these approaches work by using a random salt while generating the hash. In the database you store the salt and the hashed password. I like to go one step further and also store the number of iterations that was used to create the hash.

Here is a good blog on password encryption that covers the details in more depth with code samples. https://crackstation.net/hashing-security.htm

Improve this answer

Comments

0

No; use BCrypt -- available in Spring with BCryptPasswordEncoder.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.