Password Encryption in Play


Today,in this blog I would like to tell you about Password encryption in Play.
As you know that saving password in its plain form can lead to future problems, so its better to use an encryption technique before saving them to your database.I will be using ‘SHA-256’ encyption in the code given below.
In your project inside the util package, create a scala object named: “EncyptionUtility”. Delete the content and add the following code:


package utils

import java.security.MessageDigest
import org.apache.commons.lang3.RandomStringUtils
import play.api.Logger
import play.api.libs.Crypto

object PasswordHashing {

/**
* Generate Random Alphanumeric String of Length 10 For Password
*/
def generateRandomPassword: String = {
val stringLength = 10
RandomStringUtils.randomAlphanumeric(stringLength)
}

/**
* Password Hashing Using Message Digest Algo
*/
def encryptPassword(password: String): String = {
val algorithm: MessageDigest = MessageDigest.getInstance("SHA-256")
val defaultBytes: Array[Byte] = password.getBytes
algorithm.reset
algorithm.update(defaultBytes)
val messageDigest: Array[Byte] = algorithm.digest
getHexString(messageDigest)
}

/**
* Generate HexString For Password & userId Encryption
*/
def getHexString(messageDigest: Array[Byte]): String = {
val hexString: StringBuffer = new StringBuffer
messageDigest foreach { digest =>
val hex = Integer.toHexString(0xFF & digest)
if (hex.length == 1) hexString.append('0') else hexString.append(hex)
}
Logger.info("encrypt Data" + hexString.toString)
hexString.toString
}

def encryptUserId(userId: String): String = {
Crypto.encryptAES(userId)
}

def decryptUserId(userId: String): String = {
Crypto.decryptAES(userId)
}

}

After adding this code, you just have to add the path name wherever you are using password.

This entry was posted in Scala. Bookmark the permalink.

4 Responses to Password Encryption in Play

  1. Age Mooij says:

    This is terrible, dangerous advice!! Please do not store passwords encrypted using SHA-1! That kind of advice is worse than useless since it creates a false sense of security. Passwords should always be salted and they should be hashed using a secure algorithm specifically designed for password storage, like PBKDF2, scrypt, or bcrypt.

    See the following Gist for an example of correct Scala password hashing:

    The above code is based on a Java version described here:

    https://crackstation.net/hashing-security.htm#javasourcecode

    I would strongly urge you to update your post!

    Regards,
    Age Mooij

  2. harshita1990 says:

    Hi Age,

    Thanks for your suggestion.After going through the Gist and researching, I realized I shouldn’t be using SHA-1 anymore. I have made the required changes and will be using SHA-256 technique now.

    Regards,
    Harshita Rachora

    • Age Mooij says:

      Did you read the article I linked to? Normal hash functions should never be used for hashing passwords. SHA-256 is not the correct answer. Look at the code I linked to see how to use PBKDF2.

      Even more importantly: you should never ever store password hashes without salting them. Otherwise the same password will always end up with the same hash and dictionary attacks will decimate your password database in hours.

      Password storage is serious business and you should know what you are doing. SHA-1 vs SHA-256 is completely besides the point.

      Please educate yourself on how to do this properly or you might end up being the one responsible for one of those famous password database hacks. The biggest one so far was the one from the Adobe website. 154M passwords using naive hashing without salts.

  3. Maurizio says:

    Hello Harshita,

    nice SHA-256 encryption example for scala.

    But besides the discussion about the suitability of SHA-256 for password encryption there is a bug in your code snippet:
    Line 37
    if (hex.length == 1) hexString.append(‘0’) else hexString.append(hex)
    should be
    if (hex.length == 1) hexString.append(‘0’)
    hexString.append(hex)

    Regards
    Maurizio

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s