Geek asks and answers

How to log in using hashed md5 passwords?

I messed up my passwords and saved them in a database. But I can not log in without decrypting the password. How to do it?

My code that tries to do this but doesn't work:

@RequestMapping(method = RequestMethod.POST)
public String processLogin(Person user, BindingResult result, 
                           @RequestParam("userName") String username, 
                           @RequestParam("password") String password) {
    try {
        password = Hex.encodeHexString(MessageDigest.getInstance("SHA-256").digest());
    } catch (NoSuchAlgorithmException e) {
        e.printStackTrace();
    }
    ValidateUser(username, password);

    String destination = "";
    if (success == true) {
        destination = "redirect:/person.html";
    }
    else {
        destination = "redirect:/index.html";
    }
    return destination;
}

public boolean ValidateUser(String username, String password) {
    // Decrypt password here.
    List<Person> users = service.getAllPersons();

    for (Person allUsers : users) {
        if (allUsers.getUserName().equals(username) && 
            allUsers.getPassword().equals(password)) {
            success = true;
        }
    }
    return success;
}

And here is my cry of md5:

public void setPassword(String password) {
    String md5 = null;
    try {
        // Create MessageDigest object for MD5
        MessageDigest digest = MessageDigest.getInstance("MD5");

        // Update input string in message digest
        digest.update(password.getBytes(), 0, password.length());

        // Converts message digest value in base 16 (hex)
        md5 = new BigInteger(1, digest.digest()).toString(16);

    } catch (NoSuchAlgorithmException e) {
        e.printStackTrace();
    }
    this.password = md5;
}
+3
source share
2 answers

You also encrypt the password that the user enters when they log in, and then compare the two hashes. Therefore, you need to use the same encryption method both for storing passwords and for checking them.

+2
source

You do not decrypt the md5 hash, you encode the password provided by the user and check it against the hash in the database.

. MD5 , , , , , , .

SHA-256:

MessageDigest md = MessageDigest.getInstance("SHA-256");
String password = "some password";

md.update(password.getBytes("UTF-8"));
byte[] digest = md.digest();

, , , .

+2

More articles:


All Articles