Password Encryption in Play

Today,in this blog I would like to tell you about Password encryption in Play.
As you know that saving password in its plain form can lead to future problems, so its better to use an encryption technique before saving them to your database.I will be using ‘SHA-256’ encyption in the code given below.
In your project inside the util package, create a scala object named: “EncyptionUtility”. Delete the content and add the following code:

After adding this code, you just have to add the path name wherever you are using password.

4 thoughts on “Password Encryption in Play

  1. This is terrible, dangerous advice!! Please do not store passwords encrypted using SHA-1! That kind of advice is worse than useless since it creates a false sense of security. Passwords should always be salted and they should be hashed using a secure algorithm specifically designed for password storage, like PBKDF2, scrypt, or bcrypt.

    See the following Gist for an example of correct Scala password hashing:

    https://gist.github.com/agemooij/9622302

    The above code is based on a Java version described here:

    https://crackstation.net/hashing-security.htm#javasourcecode

    I would strongly urge you to update your post!

    Regards,
    Age Mooij

  2. Hi Age,

    Thanks for your suggestion.After going through the Gist and researching, I realized I shouldn’t be using SHA-1 anymore. I have made the required changes and will be using SHA-256 technique now.

    Regards,
    Harshita Rachora

    1. Did you read the article I linked to? Normal hash functions should never be used for hashing passwords. SHA-256 is not the correct answer. Look at the code I linked to see how to use PBKDF2.

      Even more importantly: you should never ever store password hashes without salting them. Otherwise the same password will always end up with the same hash and dictionary attacks will decimate your password database in hours.

      Password storage is serious business and you should know what you are doing. SHA-1 vs SHA-256 is completely besides the point.

      Please educate yourself on how to do this properly or you might end up being the one responsible for one of those famous password database hacks. The biggest one so far was the one from the Adobe website. 154M passwords using naive hashing without salts.

  3. Hello Harshita,

    nice SHA-256 encryption example for scala.

    But besides the discussion about the suitability of SHA-256 for password encryption there is a bug in your code snippet:
    Line 37
    if (hex.length == 1) hexString.append(‘0’) else hexString.append(hex)
    should be
    if (hex.length == 1) hexString.append(‘0’)
    hexString.append(hex)

    Regards
    Maurizio

Leave a Reply

%d bloggers like this: