How to encrypt password in mysql

Hello all,

I am using MySQL as my database and saw that it keeps the password plain text. Now how to encrypt them through md5() ? And where is the user-create.jsp page located ? May b I should edit there but couldn’'t find that file.

-Tanveer

Hi Tanveer,

Your question about encrypting passwords was previously answered in this thread:

http://www.jivesoftware.org/forums/thread.jspa?threadID=14251

Hope that helps,

Ryan

Thanks for replying.

In that link it says:-

In order to support digest authentication, the server needs access to the plaintext password.*

sorry, I didn’'t quite get it. Does it mean I cant encrypt the password ?

-Tanveer

Hi Tanveer,

Does it mean I cant encrypt the password ?

Yes and no. It basically means that encrypting the password probably isn’‘t going to get you the security that you might expect. Here’'s a move detailed discussion on the subject:

http://www.jivesoftware.org/forums/thread.jspa?messageID=94408

Hope that helps,

Ryan

This might be a sufficient solution, it obfuscates the password from plain view while retaining the ability to digest it… (insert burp joke here)…

You could copy the contents of DefaultUserProvider.java (in package org.jivesoftware.messenger.user) to NativeUserProvider.java, and substitute for the user management SQL:

private static final String INSERT_USER = "INSERT INTO jiveUser (username,password,name,email,creationDate,modificationDate) "

  • “VALUES (?,aes_encrypt(?,’‘s1lLyP455phR45e’’),?,?,?,?)”;

private static final String LOAD_PASSWORD = “SELECT aes_decrypt(password, ‘‘s1lLyP455phR45e’’) as password FROM jiveUser WHERE username=?”;

private static final String UPDATE_PASSWORD = “UPDATE jiveUser SET password=aes_encrypt(?,’‘s1lLyP455phR45e’’) WHERE username=?”;

Obviously, use your own hard-coded passphrase for site security. Then supply the NativeUserProvider class for the provider.auth.className property (as described at the top of the original file). Modify the original MySQL password column to type byte[32] and your passwords are at least obfuscated. Hope this helps.