I am looking for a way to encrypt or encode(base64 is okay) the Trust Store Password in BIRT.
<list-property name="privateDriverProperties">
....
<name>trustCertificateStorePassword</name>
<value>changeit</value>
....
</list-property>
I don't want the value 'changeit' to be shown in plain text. Is there a way that it can be encrypted or encoded so it is not shown in plain text?
Related
There is no option to convert hashed text back to plain text. Thats the reason why we use that method to store password - only the author of a password can know the real value - nobody else (developers and someone who can stole passwords). The popular method used to break hashed password is called "brute force attack" and is based on comparing already known hashed values of popular passwords to existing ones in database.
Now i need to show current password when user change password. but hash password cant not return back.
how to solve this issue?
convert hashed password to normal password?
Encryption is a two-way function; what is encrypted can be decrypted with the proper key.
Hashing is a one-way function that scrambles plain text to produce a unique message digest. With a properly designed algorithm, there is no way to reverse the hashing process to reveal the original password.
Now i need to show current password when user change password. but hash password cant not return back. how to solve this issue?
You do not need to show the password to anyone, including the owner of the password.
If you want to check, you can use check method, allows you to verify that a given plain-text string corresponds to a given hash.
if (Hash::check('plain-text', $hashedPassword)) {
// The passwords match...
}
I got the below snippet from google. I am curious to understand and decode how image src path configured. Is the image name itself encrypted.
<div><img class="imspo_tps__hs-img imspo_tps__hs-border" src="http://t3.gstatic.com/images?q=tbn:ANd9GcSIBJRTNFd7FodMrT8uvaTG9mZhP_ViztHyuSNvtkpEpg4_YIg7Kblkq2i-1l1HXgrfev0" style="width:42px;height:42px" alt=""></div>
What Google stores in their path ask Google.
To your question "how to provide encrypted image path": There can be many ways.
When you are creating deployment image, rename folders for instance with their hashes, rename the file nameswith their hashes. These changes should of course be done also in the application code (PHP, Java, etc. depending on what you use).
Implement hashing or other name replacing on a proxy level: encrypt/hash outgoing names and decrypt ingoing. Then your application code, folder names, file names remain unchanged.
If your users need to be authenticated, then you have some sort of session. May be it is a light weight session, but still you have at least unique user token. You can use that as an additional key to encrypt outgoing and decrypt ingoing URLs.
I use the mentions software stack above and I need to encrypt password before save into database. I also need to decrypt password because when someone will change password he she needs to give in the old password and then the new onw twice and I need to check the old password.
I have searched a lot but I still not sure what is the right way to do this.
I have found this link Encrypting but are there other hints to do this?
I also not sure if maybe MongoDB provides something to protect passwords.
First read Steven CarlsonĀ“s answer about password hashing.
The good thing is that Spring Security will do this for you. Spring Security 3.2 introduced the new org.springframework.security.crypto.password.PasswordEncoder interface and some implementations: BCryptPasswordEncoder, StandardPasswordEncoder (and NoOpPasswordEncoder).
Important: Do not confuse org.springframework.security.crypto.password.PasswordEncoder with the old deprecated org.springframework.security.authentication.encoding.PasswordEncoder
The interface (and therefore the implementations) has the two methods you need:
public String encode(CharSequence rawPassword)
public boolean matches(CharSequence rawPassword, String encodedPassword)
I recommend to use org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder.
The BCryptPasswordEncoder (in contrast to the StandardPasswordEncoder) use an salt that is different for each password (but not global like the one from StandardPasswordEncoder). When you encode a raw password (public String encode(CharSequence rawPassword)) then the returned encoded password is not just the encoded password, it also contains some meta information about the used hash-algorithm, the used salt and of course the encoded password.
You should not be "encrypting" the password at all. I know this sounds counter-intuitive. But there is zero reason your system should need to decrypt the password. To do so would open your database to a hacker, because if you store your decryption password in your codes/server a hacker can steal that information.
The correct process is to hash the password. A hash is a one-way (cannot be decypted back to the original text) process. The current standard would be to use SHA256 to hash your password. Here is a basic flow-chart:
Take user submitted password. Example password "mypass" would hash out to ea71c25a7a602246b4c39824b855678894a96f43bb9b71319c39700a1e045222
Store this hash (ea71c25a7a602246b4c39824b855678894a96f43bb9b71319c39700a1e045222) in your database.
When a user logs in you take the password he just submitted and hash it. If he enters the same password it will hash out to the same value in your database.
When a user goes to change passwords you hash the "enter your old password" to verify the old password still matches, if it does you hash the "enter your new password" and save it.
One thing I did not mention in my example is salt. This is something you must use in your system as it protects your data from rainbow table exploits. But that is for another discussion.
Hope this helps :)
I want to connect two ruby interfaces. I want to pass key and secret from interface 1 to interface 2 in encrypted form and user in interface 2 can decrypt the key and secret if he has a specific password. Which is the best way to implement it?
Use PBKDF2 to generate a key from a salt and the password. You can use this key to perform key wrapping (encryption) over a randomized key you want to agree on. You could simply use AES in ECB mode of operation if you only encrypt a randomized key value.
If you also need to encrypt a message then take the key and use an authenticated mode of encryption like GCM and use that to encrypt. If that's not available then use CBC and HMAC, but don't forget to include the IV vector in the HMAC calculation over the ciphertext. Sending non-authenticated ciphertext over the internet is not likely to be secure.
If available you could also use TLS with PSK authentication. That would almost certainly provide better protection than some kind of proprietary scheme such as the one above.
There are lot of Options available, I liked Gibberish
Gibberish
gpgme
encrypted strings
I'm using codeigniter2.1.4.my problem is when i use
$this->encrypt->encode($row['service_id'])
in my view page ,it generates such a key that is not permitted url and i also want short encrypt key bcoz current encrypt key too big.Any solution?Thanks
A simple solution would be to send the encrypted key as a POST parameter instead of GET parameter. In case you do not want to do that, look into
$config['permitted_uri_chars']
in application/config/config.php. Add the characters that you want to send in URL. Remember. THIS IS A SECURITY COMPROMISE.
You can always change to another cipher algorithm using
$this->encrypt->set_cipher();
This is known to mess up your sessions as sessions are encrypted using the default algorithm. So if you set session, change cipher and again try modify or set session, it wont work. You need to make sure you set back the cipher to default after your encryption is done.
Check and try to understand system/libraries/Session.php, especially around the line
$cookie_data = $this->CI->encrypt->encode($cookie_data);
If you are interested in finding answer to "WHY"