Storing Hashed Password to Database in Java(Using Bcrypt)

By Dhiraj Ray, 07 May,2017   6K

Storing passwords in plain text in databse is vulnerable to security. This article is about storing hashed password to databse in java. Doing so it becomes impossible for even BDAs to extract the real passwords. There are many hashing algorithms such as MD5, SHA-1, SHA-2 etc to hash a password but adding a salt to the password provides extra security. In this article we will be using jBCrypt, which internally generates a random salt while encoding passwords, to encode our plain text passwords and store in DB.

In this article, we will be using spring MVC and hibernate just to get rid of some configurations to connect with DB. The main focus here will be to use jBCrypt to encode the plain text passwords and save to DB and again how can we match the hashed password with the plain text password. Here we will be creating a simple app that encryptes password before storing user details in the DB.

What is Bcrypt Encoding

As per wiki, bcrypt is a password hashing function designed by Niels Provos and David Mazières, based on the Blowfish cipher. Bcrypt uses adaptive hash algorithm to store password.BCrypt internally generates a random salt while encoding passwords and hence it is obvious to get different encoded results for the same string.But one common thing is that everytime it generates a String of length 60.

You can also take a look into this Online Bcrypt Tool to know how bcrypt works.

 Other Interesting Posts
AES Encryption and Decryption in Java
Spring Data JPA Example
Spring Boot Hibernate 5 Example
Spring Hibernate Integration Example
Spring Boot Security Bcrypt Password Encoding
Random Password Generator in Java
Spring MVC PDF and Excel View Example
Spring MVC Content Negotiating Example
Spring Boot Multiple DB Example

Defining maven Dependencies

Following is the maven dependency required to get started using Bcrypt.

pom.xml
	<dependency>
            <groupId>org.mindrot</groupId>
            <artifactId>jbcrypt</artifactId>
	    <version>0.3m</version>
        </dependency>

Bcrypt Implementation to Encrypt Password

Bcrypt library provides ready made implementation to hash plain text password. The method hashpw() requires plain text password and random salt to hash a plain text password. Following is the implementation.The save() method defined in the UserServiceImpl.java internally calls following method to encrypt the password before saving it to the DB.

private String hashPassword(String plainTextPassword){
		return BCrypt.hashpw(plainTextPassword, BCrypt.gensalt());
	}

Matching Encrypted and Plain Text Password in Bcrypt

Following is the implementation that actually matches the plain text and encrypted password.

private void checkPass(String plainPassword, String hashedPassword) {
		if (BCrypt.checkpw(plainPassword, hashedPassword))
			System.out.println("The password matches.");
		else
			System.out.println("The password does not match.");
	}

Testing the Application

Here first we will save a user in the db. The service implementation will encrypt the password before saving to DB. Then we will fetch the same user from DB and try to match the enccrypted password with the plain text password and display the result.

@WebAppConfiguration
@RunWith(SpringJUnit4ClassRunner.class)
@ContextConfiguration(classes = { TestBeanConfig.class })
public class UserControllerTest {

	@Autowired
	private UserController userController;

	private String password = "password";

	@Test
	public void validateUser_Test_Positive() {
		User user = new User();
		user.setEmail("test@test.com");
		user.setName("test");
		user.setPassword(password);
		userController.save(user);
		ResponseEntity result = userController.getUser(user.getId());
		assertNotNull(result.getBody());
		checkPass(password, user.getPassword());
		assertEquals(result.getStatusCode(), HttpStatus.OK);
	}

	private void checkPass(String plainPassword, String hashedPassword) {
		if (BCrypt.checkpw(plainPassword, hashedPassword))
			System.out.println("The password matches.");
		else
			System.out.println("The password does not match.");
	}

}

Following is the entry created in databse after executing above test.

storing hashed password to DB result

Conclusion

I hope this article served you that you were looking for. If you have anything that you want to add or share then please share it below in the comment section.

Download the source

Further Reading on Spring MVC

1. Jwt Role Based Authorization

2. Spring Boot Security Password Encoding Bcrypt Encoder

3. Random Password Generator Java

4. Spring Mvc Pdf And Excel View Example

5. Spring Mvc Contentnegotiating Viewresolver Example

If You Appreciate What We Do Here On Devglan, You Should Consider: