1

I have a group of users. Everyone of them has the same username-password combination. There is the data encrypted (see code below) in my db. The question is, what is the best and the most secure way to handle the whole use case? I just want to send username - password combo in an email, same email to every user. Should I just decode the password or save the text password for that period than user has sent the email and delete textual password after that or have you any ideas for that?

There is not so priceless data in my software but still...

private Users hashPasswordBase64(Users currentUser) {

    try {
        MessageDigest md = MessageDigest.getInstance("SHA-256");
        String text = currentUser.getPassword();
        md.update(text.getBytes("UTF-8"));
        byte[] digest = md.digest();

        currentUser.setPassword(Base64.encode(digest));
    } catch (NoSuchAlgorithmException ex) {
        Logger.getLogger(UsersController.class.getName()).log(Level.SEVERE, null, ex);
    } catch (UnsupportedEncodingException ex) {
        Logger.getLogger(UsersController.class.getName()).log(Level.SEVERE, null, ex);
    }
Sami
  • 2,311
  • 13
  • 46
  • 80
  • 2
    Huh? Everyone has the same username and password? So how do you tell them apart? And why have a username/password at all? – David May 30 '12 at 13:51
  • Are you saying that every person will share the same username-password in the future (horrors!) or that they currently all share the same username-password and you're trying to overcome that problem? – David Navarre May 30 '12 at 13:52
  • It is like small group of users, every group has their own username and passwords. There is a admin user and guest groups and guests have very limited rights in my software. Admin who creates the guest groups can decide whether he/she creates own username for every guests or create just one username/password for guest group. – Sami May 30 '12 at 14:12
  • So do they or do they not all have the same username/password? You've now said both propositions. And why do you want to send passwords by email at all? This is radically insecure. Your entire security design needs rethinking from the ground up. Passwords must be hashed, not encrypted, so they aren't recoverable; password resets should be accomplished by expiring tokens issued as URL links, not by sending the user his own password; new users should be sent the same kind of token/link; etc etc. – user207421 May 30 '12 at 22:27

2 Answers2

4

Betaminos pretty much laid the guidlines.

What I recommend is storing the password server-side in an encoded format, and only decoding it whenever someone tries to log in as the person.

another option (assumming that it is a small-scale thing) would be to send an obfuscated password, with lots of spammed characters (example here: http://pastebin.com/hT1AVMUp) (and here: http://pastebin.com/9He1sk2m) and have them decode it client-side. it won't beat any humans, but it should make it harder on decoding programs.

Azulflame
  • 1,534
  • 2
  • 15
  • 30
  • Thanks! I am using Glassfish and passwords are encrypted in db at the moment. When user logs in, glassfish/JAAS/j_security takes care of password comparison and this seems to work now. Problem are those guests. I will decode password when I am sending emails, I'll try that. BTW, if I change this in future so that Admin creates only usernames for guests and then sends email to guests to create own password, how you generate those links for different guests and how the whole system is working or is it just a link where is the encryped username as a parameter or?. This is so interesting... – Sami May 30 '12 at 14:55
  • Hi again! I am using Base64 encryption and SHA-256 as a algorithm and it is one way algorithm so I can't decode my passwords back. Have I understood that correctly and what is the next solution :) – Sami May 30 '12 at 19:46
  • the samples I put on pastebin aren't uncrackable, but they will confuse most of the cracking software people just leave to run – Azulflame May 30 '12 at 20:14
  • I'd love to pop in chat with you if you have any questions, but I just dipped from 21 rep to 17 rep, denying me that priveledge – Azulflame May 30 '12 at 20:15
  • I think that I'll change the logic tomorrow so that admin creates the username and password of the guest group at that time when he is sending the invitation message. Then password will be encrypted after invitation message has been sent. What you think about that? – Sami May 30 '12 at 20:23
  • That sounds very logical. I'm new to encryption coding, but can understand how to fool crackers. – Azulflame May 31 '12 at 14:50
  • @Sami You don't need (and don't want) to decode passwords back. You only need to verify that the password they entered is the same as the correct password. You should **not** have passwords in any reversible format, and this includes encrypted or otherwise obfuscated passwords. – NullUserException Oct 29 '12 at 17:18
  • Way to bring a post back from the dead – Azulflame Oct 29 '12 at 17:36
  • @azulflame Comments don't bump posts. Only you and Sami were notified. – NullUserException Oct 30 '12 at 17:01
2

I would recommend to decode the password on-the-fly, send the eMail, and dispose of the variable. Storing the password only makes it easier for a trojan to retrieve it.

Besides that I would suggest to provide a password that needs to be changed by the user after the very first login. This way, the user would be able to choose password that is easy to memorize for him and you won't have any problems sending out the clear-text passwords because this become invalid after a single use.

Betaminos
  • 482
  • 4
  • 13
  • Thanks! I will do that in future. And there is no problem to decode base64 encoded passwords? Could you pls help me a little bit with coding that MessageDigest - Base64 - decoded text. I just used Base64.decoder but no success. – Sami May 30 '12 at 14:21