You can subscribe to this list here.
2007 |
Jan
|
Feb
|
Mar
|
Apr
(19) |
May
(8) |
Jun
(10) |
Jul
(21) |
Aug
(20) |
Sep
(34) |
Oct
(6) |
Nov
(27) |
Dec
(32) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2008 |
Jan
(17) |
Feb
(5) |
Mar
(11) |
Apr
(24) |
May
(29) |
Jun
(6) |
Jul
(20) |
Aug
(18) |
Sep
(8) |
Oct
(11) |
Nov
(17) |
Dec
(5) |
2009 |
Jan
(28) |
Feb
(22) |
Mar
(6) |
Apr
(5) |
May
(6) |
Jun
(10) |
Jul
(24) |
Aug
(5) |
Sep
(7) |
Oct
(11) |
Nov
(9) |
Dec
(8) |
2010 |
Jan
(11) |
Feb
(2) |
Mar
(6) |
Apr
(8) |
May
(1) |
Jun
(3) |
Jul
(15) |
Aug
(5) |
Sep
(15) |
Oct
(27) |
Nov
(10) |
Dec
(15) |
2011 |
Jan
(6) |
Feb
(5) |
Mar
(5) |
Apr
(5) |
May
(2) |
Jun
(8) |
Jul
(7) |
Aug
(5) |
Sep
(8) |
Oct
(1) |
Nov
|
Dec
|
From: AnandLoni <ana...@gm...> - 2011-06-15 05:36:25
|
Hi, I am using Jasypt to encrypt database column with hibenate. (http://www.jasypt.org/hibernate3.html). When I save object value is encrypted and when I load object value is decrypted, this is working fine. I have search functionality on the encrypted column, I am using hibernate criteria api for searching. Search on encrypted column is not working. Any idea on how to search over encrypted column value ? -- View this message in context: http://old.nabble.com/Need-help-in-Jasypt-%28java-simplified-encryption%29-with-hibernate-3.0-tp31848725p31848725.html Sent from the Jasypt - Users mailing list archive at Nabble.com. |
From: Daniel F. <dfe...@us...> - 2011-06-04 18:21:16
|
Hello, This seems not to be a jasypt problem, but a problem coming from the Windows shell, that seems to try and substitute the text between two "!" symbols by some kind of (empty) variable. If you execute the script, you will notice that the "input" jasypt declares to receive does not include the text between "!". Regards, Daniel. On 6 April 2011 00:25, openina <olg...@pr...> wrote: > +------------------------+ > Jasypt Users List > http://www.jasypt.org > +------------------------+ > > Whenever the input value both starts and ends with an exclamation point (!) > I get bad argument error: > C:\jasypt-1.7\bin>encrypt password=blah input="!testm3!" > > ----ERROR----------------------- > > Bad argument: input= > > Please take a look > Many thanks > -- > View this message in context: > http://old.nabble.com/Bad-Argument-error-tp31328743p31328743.html > Sent from the Jasypt - Users mailing list archive at Nabble.com. > > > > ------------------------------------------------------------------------------ > Xperia(TM) PLAY > It's a major breakthrough. An authentic gaming > smartphone on the nation's most reliable network. > And it wants your games. > http://p.sf.net/sfu/verizon-sfdev > _______________________________________________ > jasypt-users mailing list > jas...@li... > https://lists.sourceforge.net/lists/listinfo/jasypt-users > |
From: Daniel F. <dfe...@us...> - 2011-06-04 15:37:41
|
Hello, By default, all Jasypt password encryptors use random salt, which makes each execution of an encryption operation on the same input return different output. You should not compare encrypted passwords, but rather use the encryptor's "match" methods, which deal with random salts. If you need encryption results to be exactly the same for the same input, you need to use a fixed / empty salt. Check the online documentation about salt generators. Regards, Daniel. On 16 May 2011 13:04, dedawg <der...@gm...> wrote: > +------------------------+ > Jasypt Users List > http://www.jasypt.org > +------------------------+ > > Hi, > > I want to use the StrongPasswordEncryptor for encrypting and checking user > passwords. The user passwords are stored in DB so I suppose if I encrypt > the > password when they are saved and compare the encrypted password with the > clear text password this would work, but when I reboot the server (or > whenever the StrongPasswordEncryptor) encrypt() will return a different > result. How can I make the result of encrypt() persistent across server > reboots? > > Thanks! > > -- > View this message in context: > http://old.nabble.com/Using-StrongPasswordEncryptor-across-server-reboots-tp31628047p31628047.html > Sent from the Jasypt - Users mailing list archive at Nabble.com. > > > > ------------------------------------------------------------------------------ > Achieve unprecedented app performance and reliability > What every C/C++ and Fortran developer should know. > Learn how Intel has extended the reach of its next-generation tools > to help boost performance applications - inlcuding clusters. > http://p.sf.net/sfu/intel-dev2devmay > _______________________________________________ > jasypt-users mailing list > jas...@li... > https://lists.sourceforge.net/lists/listinfo/jasypt-users > |
From: Daniel F. <dfe...@us...> - 2011-06-04 15:34:55
|
Hi, Please, make sure your database columns are big enough to store your encrypted data. Encrypted data is usually quite larger than original, and it could be that your database is truncating your data, thus provoking errors in your subsequent decryption operations. Regards, Daniel. On 29 April 2011 13:32, Drewich <dr...@gm...> wrote: > +------------------------+ > Jasypt Users List > http://www.jasypt.org > +------------------------+ > > Hello! > I´ve been reading other messages that seems they had the same problem. But > can´t figure out what can I do to fix this. > > I´ve been using Jasypt to encrypt passwords, strings, ... and I didn´t have > any problem. > > But now I´m crypting byte[] and it works only sometimes. > > I´m sure I have the same password for crypting and decrypting. > I store the encrypted file in DB when the user upload it and later I try to > download it (decrypted) and the decryption works or not randomly. > > I´ve tried using BasicBinaryEncryptor, StrongBinaryEncryptor, > StandardPBEByteEncryptor using a fixed password to be sure that´s not the > problem and can´t figure out what´s going wrong (all of them works > sometimes). > > Hope someone can bring some light on me. > > Thanks!! > -- > View this message in context: > http://old.nabble.com/Decrypt-throws-exception-EncryptionOperationNotPossibleException-%28another-one%29-tp31504532p31504532.html > Sent from the Jasypt - Users mailing list archive at Nabble.com. > > > > ------------------------------------------------------------------------------ > WhatsUp Gold - Download Free Network Management Software > The most intuitive, comprehensive, and cost-effective network > management toolset available today. Delivers lowest initial > acquisition cost and overall TCO of any competing solution. > http://p.sf.net/sfu/whatsupgold-sd > _______________________________________________ > jasypt-users mailing list > jas...@li... > https://lists.sourceforge.net/lists/listinfo/jasypt-users > |
From: dedawg <der...@gm...> - 2011-05-16 11:04:25
|
Hi, I want to use the StrongPasswordEncryptor for encrypting and checking user passwords. The user passwords are stored in DB so I suppose if I encrypt the password when they are saved and compare the encrypted password with the clear text password this would work, but when I reboot the server (or whenever the StrongPasswordEncryptor) encrypt() will return a different result. How can I make the result of encrypt() persistent across server reboots? Thanks! -- View this message in context: http://old.nabble.com/Using-StrongPasswordEncryptor-across-server-reboots-tp31628047p31628047.html Sent from the Jasypt - Users mailing list archive at Nabble.com. |
From: Taha H. <taw...@gm...> - 2011-05-06 14:25:54
|
Hi jasypt users!! I have posted about how to integrate jasypt with Tapestry5 http://tawus.wordpress.com/2011/05/06/tapestry-magic-11-integration-with-jasypt-for-encrypting-urls/ here . If you find it useful enough, please update your jasypt-integration section. -- View this message in context: http://old.nabble.com/Tapestry-Jasypt-Integration-tp31559324p31559324.html Sent from the Jasypt - Users mailing list archive at Nabble.com. |
From: Drewich <dr...@gm...> - 2011-04-29 11:32:55
|
Hello! I´ve been reading other messages that seems they had the same problem. But can´t figure out what can I do to fix this. I´ve been using Jasypt to encrypt passwords, strings, ... and I didn´t have any problem. But now I´m crypting byte[] and it works only sometimes. I´m sure I have the same password for crypting and decrypting. I store the encrypted file in DB when the user upload it and later I try to download it (decrypted) and the decryption works or not randomly. I´ve tried using BasicBinaryEncryptor, StrongBinaryEncryptor, StandardPBEByteEncryptor using a fixed password to be sure that´s not the problem and can´t figure out what´s going wrong (all of them works sometimes). Hope someone can bring some light on me. Thanks!! -- View this message in context: http://old.nabble.com/Decrypt-throws-exception-EncryptionOperationNotPossibleException-%28another-one%29-tp31504532p31504532.html Sent from the Jasypt - Users mailing list archive at Nabble.com. |
From: taro4cycle <tar...@gm...> - 2011-04-20 04:48:33
|
I'm wondering if anyone has any experience with Jasypt + C interoperability on Linux. That is, encrypt a text using BasicTextEncryptor, store the Base64 string somewhere (a file or a database) and decrypt it in C/C++. And I don't mean using JNI. Thanks. -- View this message in context: http://old.nabble.com/Decrypting-text-from-C-tp31438332p31438332.html Sent from the Jasypt - Users mailing list archive at Nabble.com. |
From: <wes...@gm...> - 2011-04-19 23:35:38
|
I'm using this code in an EJB: @Column(name="SOCIAL_SECURITY") @Type(type = "encryptedString") private String socialSecurity; I manually loaded about 200k records into this Oracle database table. None of the "social security #'s" have been encrypted since I manually loaded the data myself and not through our website. When I attempt to open our application I get an Encryption type exception, I'm guessing this is due to data within the "social" field that is not encrypted, therefore it cannot be decrypted. I think this because, if I null out every "social" then attempt to open our application I don't have any problems. My question is how would I, and what is the easiest way to encrypt 200k values? Does my Oracle database table need to be altered so that the field with the encypted data is defined differently than other non-encrypted fields? if so, what type of encyption am I supposed to select when altering the table, Oracle has about 5 different encryption type options that can be selected. Thank you in advance, Wes -- View this message in context: http://old.nabble.com/Encryption-with-Jasypt-question-when-used-with-Java-tp31437139p31437139.html Sent from the Jasypt - Users mailing list archive at Nabble.com. |
From: Daniel F. <dfe...@us...> - 2011-04-15 00:15:07
|
Jasypt 1.7.1 has just been released. This is just a maintenance bugfixing release solving a problem related to EncryptableServletContextPropertyPlaceholderConfigurer. You do not need to update if you are not affected by this issue. See the project website at http://www.jasypt.org Regards, Daniel |
From: openina <olg...@pr...> - 2011-04-05 22:25:45
|
Whenever the input value both starts and ends with an exclamation point (!) I get bad argument error: C:\jasypt-1.7\bin>encrypt password=blah input="!testm3!" ----ERROR----------------------- Bad argument: input= Please take a look Many thanks -- View this message in context: http://old.nabble.com/Bad-Argument-error-tp31328743p31328743.html Sent from the Jasypt - Users mailing list archive at Nabble.com. |
From: Daniel F. <dfe...@us...> - 2011-03-31 00:35:15
|
Hello, You can use a StandardStringDigester, which allows more configuration options than the StrongPasswordEncryptor / ConfigurablePasswordEncryption utils. Maybe GlassFish does not apply iteration (iterationCount = 1) or applies no salt (saltSizeBytes = 0), and that's why StrongPasswordEncryptor is not compatible. "MD5" and "SHA-1" are just example algorithms. The complete list of supported algorithms depends on your JVM's JCE providers. Regards, Daniel. On 26 March 2011 08:45, hezjing <he...@gm...> wrote: > +------------------------+ > Jasypt Users List > http://www.jasypt.org > +------------------------+ > > Hi > > I'm trying to encrypt password in SHA-256, to be used in GlassFish 3.1 JDBC > realm. > > First, the GlassFish works with the password encrypted from > http://www.fyneworks.com/encryption/SHA-256-Encryption. > > Unfortunately it failed when I encrypted the password using > Jasypt's StrongPasswordEncryptor (Algorithm: SHA-256, Salt size: 16 > bytes, Iterations: 100000). > Is there any other way to encrypt password in SHA-256 than > using StrongPasswordEncryptor? > > Was looking at the ConfigurablePasswordEncryptor, but it only > accept algorithm like MD5 or SHA-1 (no SHA-256?). > > > -- > > Hez > > > ------------------------------------------------------------------------------ > Enable your software for Intel(R) Active Management Technology to meet the > growing manageability and security demands of your customers. Businesses > are taking advantage of Intel(R) vPro (TM) technology - will your software > be a part of the solution? Download the Intel(R) Manageability Checker > today! http://p.sf.net/sfu/intel-dev2devmar > _______________________________________________ > jasypt-users mailing list > jas...@li... > https://lists.sourceforge.net/lists/listinfo/jasypt-users > > |
From: Daniel F. <dfe...@us...> - 2011-03-31 00:31:04
|
Hi, As a general rule, you shouldn't be able to decrypt your users' passwords in any way. If a user loses his/her password, you should set a new one-use one to him/her, send it to your user to a previously verified email address, and then make your user change that password the first time he/she logs in so that you don't know it. Regards, Daniel. On 25 March 2011 06:15, Vaibhav Pawar <vai...@re...> wrote: > +------------------------+ > Jasypt Users List > http://www.jasypt.org > +------------------------+ > > Hello, > I am using Jasypt for Password Encryption with my Project. It's really good > & easy to use. > But I came across a problem. If user forgot his/her Password I need to send > it through Email provided by him/her. My passwords are stored in encrypted > form in database. I need to decrypt the password before sending. I didn't > find the solution anywhere. > Any help would be appreciated. > > Thanks > > - Vaibhav > > -- > View this message in context: > http://old.nabble.com/About-Decrypting-the-Encrypted-Password...-tp31235269p31235269.html > Sent from the Jasypt - Users mailing list archive at Nabble.com. > > > > ------------------------------------------------------------------------------ > Enable your software for Intel(R) Active Management Technology to meet the > growing manageability and security demands of your customers. Businesses > are taking advantage of Intel(R) vPro (TM) technology - will your software > be a part of the solution? Download the Intel(R) Manageability Checker > today! http://p.sf.net/sfu/intel-dev2devmar > _______________________________________________ > jasypt-users mailing list > jas...@li... > https://lists.sourceforge.net/lists/listinfo/jasypt-users > |
From: cjs1976 <ho...@so...> - 2011-03-30 13:55:35
|
Hi! The arrticle http://www.jasypt.org/encrypting-configuration.html says, that I have to create the encrypted values of my property file over the CLI tool. But the values could be changed within my application, so I need a solution to create the encrypted values automatically in my application, and not over a CLI tool. Any ideas? -- View this message in context: http://old.nabble.com/How-to-create-encrypted-values-without-the-CLI-tool--tp31277506p31277506.html Sent from the Jasypt - Users mailing list archive at Nabble.com. |
From: hezjing <he...@gm...> - 2011-03-26 07:45:45
|
Hi I'm trying to encrypt password in SHA-256, to be used in GlassFish 3.1 JDBC realm. First, the GlassFish works with the password encrypted from http://www.fyneworks.com/encryption/SHA-256-Encryption. Unfortunately it failed when I encrypted the password using Jasypt's StrongPasswordEncryptor (Algorithm: SHA-256, Salt size: 16 bytes, Iterations: 100000). Is there any other way to encrypt password in SHA-256 than using StrongPasswordEncryptor? Was looking at the ConfigurablePasswordEncryptor, but it only accept algorithm like MD5 or SHA-1 (no SHA-256?). -- Hez |
From: Vaibhav P. <vai...@re...> - 2011-03-25 05:15:28
|
Hello, I am using Jasypt for Password Encryption with my Project. It's really good & easy to use. But I came across a problem. If user forgot his/her Password I need to send it through Email provided by him/her. My passwords are stored in encrypted form in database. I need to decrypt the password before sending. I didn't find the solution anywhere. Any help would be appreciated. Thanks - Vaibhav -- View this message in context: http://old.nabble.com/About-Decrypting-the-Encrypted-Password...-tp31235269p31235269.html Sent from the Jasypt - Users mailing list archive at Nabble.com. |
From: Daniel F. <dfe...@us...> - 2011-02-19 11:58:35
|
Hello, Thanks for your interest. Your point is very correct and, obviously, form a formal point of view you are right that extending a class form an external library creates a strong dependency between the two libraries, and that your solution could do the job in a quite similar way. But we chose to extend for a couple of reasons: First, extension of Spring's PropertyPlaceholderConfigurer is Spring's recommended way to do this, and so is stated in the online documentation for that class for the PropertyResourceConfigurer.convertPropertyValue() method, which says: "[...] The default implementation simply returns the original value. Can be overridden in subclasses, for example to detect encrypted values and decrypt them accordingly." Second, doing this (IMO) better integrates jasypt into the Spring infrastructure, letting automated encryption/decryption of parameters take part in any configuration process in a transparent way. This means that all the possible uses of values coming from a PropertyPlaceholderConfigurer can include encryption, like for example evaluation of Spring EL expressions. And third, SpringSource is quite respectful with Spring APIs and tends not to change extension points often from one version to the next. It is true that with each Spring version we have to review changes and ensure everything is still alright, but creating a BeanFactory post processor would also have us reviewing APIs in the same way (though the bound would be much weaker, that's true). Anyway, again, your point is very correct and yours would be a very adequate solution. Thanks for sharing it. Regards, Daniel. On 14 February 2011 20:45, Haavar Valeur <ja...@ha...> wrote: > +------------------------+ > Jasypt Users List > http://www.jasypt.org > +------------------------+ > Hi. > I noticed that jasypt have support for spring configuration. This is > exactly what I need. One thing that concerned me was that you are > extending the spring property placeholder and overrider classes. I > believe that concrete inheritance from one library to another is bad. > You will compile agains one version of the super-class, but I might be > using a different version in my application. This could prevent users > from upgrading to a new version of spring. > > I believe a more flexible solution would be to create a bean factory > post processor that looks for the ENC(.*) pattern and decrypts the > values. This will allow users to have the encrypted values directly in > the xml, or any other source (like an external config server). Users > would also be able to make full use name space configuration. Using a > bean factory post processor will unify the different configuration > options you offer into a single setup. > > Best > Haavar > > ------------------------------------------------------------------------------ > The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: > Pinpoint memory and threading errors before they happen. > Find and fix more than 250 security defects in the development cycle. > Locate bottlenecks in serial and parallel code that limit performance. > http://p.sf.net/sfu/intel-dev2devfeb > _______________________________________________ > jasypt-users mailing list > jas...@li... > https://lists.sourceforge.net/lists/listinfo/jasypt-users > |
From: fatefree <fat...@gm...> - 2011-02-19 03:11:17
|
I have a requirement to encrypt certain string columns in the database, but still allow users to search for them. I am using the EncryptedStringType to encrypt the data before it goes to the database. I had a discussion on the Hibernate Search forums, and they said I could use a custom FieldBridge, which essentially decrypts the value before it gets sent off to Lucene's index. So it sounds good in theory, however I am having trouble finding a clever way to invoke the decryptor from inside my (non spring managed) FieldBridge. My first thought was to use Spring aspects to inject the encryptor into my FieldBridge class, but then I thought I could make it a little easier by trying to reuse the EncryptedStringType class itself somehow. However it seems pretty hacky as I'd have to mock a PreparedStatement or ResultSet in order to get the value decrypted since those are the only public methods. Can anyone think of another way I might be able to decrypt the value? Another question came up in the process. The EncryptedStringType gets instantiated from within hibernate, but it can still be configured in Spring. Does that mean there is a static field somewhere holding the encryptor that was created with a specific password? If so, does that mean I can't have two applications running on the same JVM without using the same encryptor password? -- View this message in context: http://old.nabble.com/Integrating-EncryptedString-userTypes-with-Hibernate-Search-tp30963961p30963961.html Sent from the Jasypt - Users mailing list archive at Nabble.com. |
From: gamador <ver...@gm...> - 2011-02-18 19:34:06
|
Hi. I'm trying to encrypt the atributes from an embedded class using Hibernate 3.3.1.GA and Jasypt 1.5. Every time that I create or update an Address all its attributes are persisted in clear text. My classes look like this: @TypeDef(name = "encryptedString", typeClass = EncryptedStringType.class, parameters = { @org.hibernate.annotations.Parameter(name = "encryptorRegisteredName", value = "strongHibernateStringEncryptor") }) @Entity @Table(name = "USERS") public class User{ ..... private Address address; @Embedded @AttributeOverrides({ @AttributeOverride(name = "countryCode", column = @Column(name = "COUNTRY_CODE")), }) public Address getAddress(){ return address; } } ..... @Embeddable public class Address{ private String countryCode; @Type(type = "encryptedString") private String street; @Type(type = "encryptedString") private String number; .... } My spring configuration for jasypt is this: <!-- bouncy castle --> <bean id="bcProviderRegister" class="own.framework.BCProviderRegister"/> <!-- configuración de jasypt --> <bean id="randomSalt" class="org.jasypt.salt.RandomSaltGenerator"/> <bean id="zeroSalt" class="org.jasypt.salt.ZeroSaltGenerator"/> <bean id="encryptionConfiguration" class="org.jasypt.encryption.pbe.config.WebPBEConfig"> <property name="algorithm" value="PBEWITHSHA256AND256BITAES-CBC-BC"/> <property name="keyObtentionIterations" value="1000"/> <property name="validationWord" value="test"/> <property name="name" value="PBE PASSWORD"/> </bean> <bean id="strongStringEncryptor" class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor"> <property name="config" ref="encryptionConfiguration"/> <property name="saltGenerator" ref="randomSalt"/> </bean> <bean id="hibernateStringEncryptor" class="org.jasypt.hibernate.encryptor.HibernatePBEStringEncryptor"> <property name="registeredName" value="strongHibernateStringEncryptor"/> <property name="encryptor" ref="strongStringEncryptor"/> </bean> ------ I' ve read somewhere that the only place where you should put the annotation @TypeDef(name = "encryptedString".....) was in the containing class, this means at User. Even though I've tried putting the same configuration within User and Address but with no success. If anybody can give me a hint on how I should use Jasypt with embedded classes it would be very appreciated. -- View this message in context: http://old.nabble.com/Using-Jasypt-with-Hibernate-embedded-classes-tp30961727p30961727.html Sent from the Jasypt - Users mailing list archive at Nabble.com. |
From: Haavar V. <ja...@ha...> - 2011-02-14 20:16:25
|
Hi. I noticed that jasypt have support for spring configuration. This is exactly what I need. One thing that concerned me was that you are extending the spring property placeholder and overrider classes. I believe that concrete inheritance from one library to another is bad. You will compile agains one version of the super-class, but I might be using a different version in my application. This could prevent users from upgrading to a new version of spring. I believe a more flexible solution would be to create a bean factory post processor that looks for the ENC(.*) pattern and decrypts the values. This will allow users to have the encrypted values directly in the xml, or any other source (like an external config server). Users would also be able to make full use name space configuration. Using a bean factory post processor will unify the different configuration options you offer into a single setup. Best Haavar |
From: ieliaz1000 <iel...@ya...> - 2011-02-02 16:12:37
|
Hi Everyone, since I'm not an expert with encryption algorithms, maybe my question is trivial, but I didn't find the answer in the doucmentation... my main requirement is that the encryption mapping must be 1-1 (one to one). i.e, if I encrypt a value X, and it is encrypted to Y, and I store this Y in a list of encrypted values, if I encrypt this X again I will look for its encrypted value in the stored list, I will get the same Y, and find only one Y that is corresponding to X. as I understand using Jasypt password encryption utils will not comply with this requirement. will the StrongTextEncryptor comply ? Thanks -- View this message in context: http://old.nabble.com/one-to-one-encryption-tp30827392p30827392.html Sent from the Jasypt - Users mailing list archive at Nabble.com. |
From: Marius K. <am...@gm...> - 2011-01-28 19:25:06
|
2011/1/28 Daniel Fernández <dfe...@us...>: > I'm afraid it's C. wow, thanks Daniel for the prompt response and explanation. -- <>< Marius ><> |
From: Daniel F. <dfe...@us...> - 2011-01-28 09:58:32
|
Hi Marius, I'm afraid it's C. Protecting against attacks in which your "enemy" can read parts of your memory belonging to the space of your virtual machine processes, even being able to identify where are your passwords stored, is completely out of the scope of a library such as Jasypt (and a huge percent of security libraries out there). Think that, for example, if your application is a web application, your users will input their passwords in forms, and they will arrive to you in request parameters that most probably your web framework simply reads as Strings when parsing the HttpServletRequest... and there you are, passwords as Strings in memory. Unless you are reading your HTTP requests byte-by-byte from an inputstream and not letting the Servlet API parse it ever... something that I bet 99.9% of people don't do. I am no expert at all in memory attacks, to be honest, but I suppose that if your attacker can access your VM memory space he could also be able to identify your "encryptor" and "decryptor" objects, verbatim copy them somewhere else byte by byte, and use them at will... even without needing to know your passwords or algorithm keys... or maybe I'm wrong. Regards, Daniel. On 28 January 2011 10:31, Marius Kruger <am...@gm...> wrote: > +------------------------+ > Jasypt Users List > http://www.jasypt.org > +------------------------+ > hi, > I see that encryptor.setPassword() can only take a String in, > but as far as I know it is a bad idea to ever put passords into a String eg.: > http://securesoftware.blogspot.com/2009/01/java-security-why-not-to-use-string.html > > So was it a) overlooked, b) not so serious, c) if the enemy can read > your memory you have lost already > or d) I'm missing something? > > -- > thanks > <>< Marius ><> > > ------------------------------------------------------------------------------ > Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! > Finally, a world-class log management solution at an even better price-free! > Download using promo code Free_Logger_4_Dev2Dev. Offer expires > February 28th, so secure your free ArcSight Logger TODAY! > http://p.sf.net/sfu/arcsight-sfd2d > _______________________________________________ > jasypt-users mailing list > jas...@li... > https://lists.sourceforge.net/lists/listinfo/jasypt-users > |
From: Marius K. <am...@gm...> - 2011-01-28 09:32:53
|
hi, I see that encryptor.setPassword() can only take a String in, but as far as I know it is a bad idea to ever put passords into a String eg.: http://securesoftware.blogspot.com/2009/01/java-security-why-not-to-use-string.html So was it a) overlooked, b) not so serious, c) if the enemy can read your memory you have lost already or d) I'm missing something? -- thanks <>< Marius ><> |
From: Joe H. <jhi...@gm...> - 2011-01-20 14:19:03
|
Hi Carlo, The Encrypting Passwords page has code examples: http://www.jasypt.org/encrypting-passwords.html Each time you encrypt the password with the StrongPasswordEncryptor, you will get a different digest value (this is because a random salt value is used each time). So comparing two values encrypted with the StrongPasswordEncryptor will not work. Instead, use the checkPassword() method which takes the plain text password and the already digested password as arguments. This method will use the salt of the already digested password to digest the plain text password and compare the results. Hope this helps, Joe Hindsley Carlo Camerino wrote: > +------------------------+ > Jasypt Users List > http://www.jasypt.org > +------------------------+ > > > ------------------------------------------------------------------------ > > hi, > > how can i use strongpasswordencryptor to encrypt a password and then > compare it with another password which i encrypted using a > strongpasswordencryptor as well.. > > > from my experience, > > i try to use matches but it doesn't seem to work for this .... > > Can anyone explain the output of a strongpasswordencryptor? > > like where is the salt located etc.... > > Thanks A Lot > Carlo > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------------ > Protect Your Site and Customers from Malware Attacks > Learn about various malware tactics and how to avoid them. Understand > malware threats, the impact they can have on your business, and how you > can protect your company and customers by using code signing. > http://p.sf.net/sfu/oracle-sfdevnl > > > ------------------------------------------------------------------------ > > _______________________________________________ > jasypt-users mailing list > jas...@li... > https://lists.sourceforge.net/lists/listinfo/jasypt-users |