0

I have a Spring-boot web application which has an Account.jsp page that displays users details. On this page I want a field 'password' which has the users actual password but only displays it as &middot and not the password itself. I understand that BCrypt is a hash function and is one-way, so how do many websites go about encoding the users real password as a sequence of characters?

Rigg97
  • 83
  • 1
  • 13
  • Take the password a user has entered, and encode it with BCrypt. See if both encrypted strings match. BCrypt is supposed to be secure enough that there's just no way to recover the actual password. – markspace Sep 17 '20 at 03:08
  • This isn't a user input scenario, this is simply displaying the actual password length encoded as a * or middle dot character on their details screen. I.e. your password: ***** Is this bad practice? I see many sites that do this. – Rigg97 Sep 17 '20 at 03:11
  • When they show "your password: *****", it doesn't mean your password was 5 characters long. It's just a visual indication to the user that they have your password, and that it has been encrypted for your safety. In reality, they don't really have "your password", because the password was encrypted using a non-reversible algorithm, i.e. it was *hashed*, but that is a distinction that's irrelevant to the UI, which simply wants to show that they have what they need to confirm your password, next time you enter it. – Andreas Sep 17 '20 at 03:29
  • But also I think the browser does that. A JSP page should not be trying to "fill in" a password. If the browser has remembered a password, it fills it in, but the form itself doesn't know the difference. Usually what a JSP does is set a cookie and use that instead of a login page. – markspace Sep 17 '20 at 03:54
  • @Andreas this isn't true, even looking at my google and youtube accounts it has an equivalent number of characters for my different passwords. I suspect this is due to what markspace has said, the browser must be handling this information. – Rigg97 Sep 17 '20 at 04:46
  • @Rigg97 Where do you see *'s for the password on the Google and YouTube web sites? I only see blank fields. – Andreas Sep 17 '20 at 04:51
  • @Andreas apologies, this is the browsers autofill and not the web applications themselves. I could store password length in a cookie and use that to generate the characters however if someone could acquire this cookie it would make decryption a bit easier.. – Rigg97 Sep 17 '20 at 04:58

0 Answers0