I am working on a login system for my java program, but I want to encrypt the password. I am using php because if someone decompiles the program they could find the key codes to decrypting the password. So what I want to do, is have a url like this: example.com/users/encrypt.php?password=pass so it would encrypt the password and print out as HTML for my program to read.
Please note I know nothing about PHP, this was just the first way to encrypt it securely that popped into my head.
This post has been edited by Dormilich: 14 September 2013 - 03:06 AM
Reason for edit:: changed host name
Generally you don't encrypt passwords, you hash them. However hashes are irreversible, unlike encryptions. In the type of login systems you typically deal with in server-side languages like PHP, there is never any need to decrypt passwords, so hashes are perfect.
Why do you need them to be decrypted in your program?
You don't need PHP for that. A hash is irreversible, so even if somebody manages to get the source code for your Java program, a hash generated in Java will not be any more vulnerable than a hash generated by PHP.
So, find a way to generate a hash in Java and use that. Just don't try to use MD5 or SHA1. Although a lot of people use them for password hashing, they are far to weak now to be of use. If you can find a Java API to create Bcrypt hashes, that would be my recommendation.
If you are using jBCrypt, you'll need to use the BCrypt.checkpw method they demonstrate on their main page. Bcrypt hashes embed a salt in the output itself, so two hashes generated from the same source won't be the same. To borrow their example:
// Check that an unencrypted password matches one that has
// previously been hashed
if (BCrypt.checkpw(candidate, hashed))
System.out.println("It does not match");
The candidate there would be the plain-text password input you want to check, and the hashed the hash you already have stored for the password.