You have no excuse NOT to encrypt the passwords of your users

If you’re using hibernate, and you have a website with passwords, there’s a fantastic library called Jasypt to help you seamlessly encrypt the password of your users.

First add the following to your pom.xml:

     <dependency>
      <groupId>org.jasypt</groupId>
      <artifactId>jasypt</artifactId>
      <version>1.7.1</version>
      <scope>compile</scope>
    </dependency>

Then take your entity, and add the following definitions

import ...
...

@TypeDef(
  name = "encryptedString",
  typeClass = EncryptedStringType.class,
  parameters = {
    @Parameter(name = "encryptorRegisteredName", value = "strongHibernateStringEncryptor")
  }
)

@Entity
@Table(name = "USERS")
public class User implements Serializable {
private Long id;
private String username;
private String password;

...

@Type(type = "encryptedString")
@Column(name = "PASSWD", nullable = false)
  public String getPassword() {
  return password;
}
...
}

You need to define your Encryptor class, which will take care of encrypting/decrypting your password.
Since you’re probably using Spring, it’s easy, just add the definition in your ApplicationContext.xml

  <bean id="strongEncryptor" class="org.jasypt.encryption.pbe.PooledPBEStringEncryptor">
    <property name="algorithm">
      <value>PBEWithMD5AndTripleDES</value>
    </property>
    <property name="password">
      <value>cUst0mP@sswOrd</value>
      <!-- Put whatever you want, it must be unique and strong -->
    </property>
    <property name="poolSize">
      <value>4</value>
      <!-- to be optimal, put the number of cores of your processor-->
    </property>
  </bean>

  <bean id="hibernateStringEncryptor" class="org.jasypt.hibernate.encryptor.HibernatePBEStringEncryptor">
    <property name="registeredName">
      <value>strongHibernateStringEncryptor</value>
    </property>
    <property name="encryptor">
      <ref bean="strongEncryptor"/>
    </property>
  </bean>

and that’s basically it! WOW so easy… when you think that many websites are still using UNENCRYPTED passwords, it’s almost a crime.
I didn’t do advanced stuff with Jasypt, but if you’re not using Hibernate or annotations, you can also use it, go to http://www.jasypt.org. That’s a cool library.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s