The server stored passwords encrypted using the Blowfish method. for example

$2a$10$dfda807d832b094184faeu1elwhtR2Xhtuvs3R9J1nfRGBCudCCzC

From the Android side, a username and password is sent in an unencrypted form to the server, where the same password is generated from the password on the server and the transmitted password and a comparison is made.

Question: How to transfer the unencrypted password from the android to the server safely, that is, in encrypted form and on the server to compare with the existing password?

  • How to transfer to transfer unencrypted password from android in encrypted form? =) You probably need some kind of md5 hash to send - Android Android
  • one
    SSL connection use. - Visman

3 answers 3

@Visman wrote correctly, but for some reason in the comments, and not in the answers. To securely transmit anything to the server, use an encrypted connection. The simplest case is https.

Authorization on https, even if the rest of the work is done on http - has long been a standard for web applications.

  • The fact is that this is not a web application, but a native one. Transfer is carried out via HTTP Client in Android using POST request. The fact is that the login is entered not on the website of any kind, but on the developed Android application - Mac
  • And what is the problem to pass on https credentials entered not on the site, but in the application? - Pavel Mayorov
  • this is an idea. So just write perez domain name https: //? - Mac
  • Well, if everything is in order on the server with the certificate, then yes, you can do it. Still sometimes certificate pinning is done. But this, in general, is not necessary. - Pavel Mayorov
  • not unfortunately just a fix for https: // not working - Mac

Password is a string. Transform it by any known algorithm to you (yes, change the syllable in some places, and multiply all numbers by 17 or intermediate letters by some rule - roughly speaking), and perform the inverse transformation on the server. In case someone opens your application and explodes in it, of course, it will not save, but it can protect you from a simple interception of a password (as long as the attacker does not know the formula - for him it will be a simple set of characters - no more)

    Blowfish itself is not safe. Try using AES-512 + asynchronous. encryption on android. Create applications for the droid .... Example:

      Алиса ΠΊΠ»Π°Π΄Π΅Ρ‚ своС письмо Π² ΠΆΠ΅Π»Π΅Π·Π½Ρ‹ΠΉ ящик ΠΈ, Π·Π°ΠΏΠ΅Ρ€Π΅Π² Π΅Π³ΠΎ Π½Π° Π·Π°ΠΌΠΎΠΊ, отправляСт Π‘ΠΎΠ±Ρƒ. Π‘ΠΎΠ± ΠΏΡ€ΠΈ ΠΏΠΎΠ»ΡƒΡ‡Π΅Π½ΠΈΠΈ ящика, (Π²Π½ΠΈΠΌΠ°Π½ΠΈΠ΅!) Π±Π΅Ρ€Π΅Ρ‚ свой Π·Π°ΠΌΠΎΠΊ ΠΈ, Π΄ΠΎΠΏΠΎΠ»Π½ΠΈΡ‚Π΅Π»ΡŒΠ½ΠΎ Π·Π°ΠΏΠ΅Ρ€Π΅Π² ΠΈΠΌ ящик, отправляСт ΠΎΠ±Ρ€Π°Ρ‚Π½ΠΎ. АлисС ящик ΠΏΡ€ΠΈΡ…ΠΎΠ΄ΠΈΡ‚ ΡƒΠΆΠ΅ с двумя Π·Π°ΠΌΠΊΠ°ΠΌΠΈ (напомню с ΠΏΠ΅Ρ€Π²Ρ‹ΠΌ Π·Π°ΠΌΠΊΠΎΠΌ Алисы ΠΎΡ‚ ΠΊΠΎΡ‚ΠΎΡ€ΠΎΠ³ΠΎ Ρƒ Π½Π΅Π΅ Π΅ΡΡ‚ΡŒ ΠΊΠ»ΡŽΡ‡, ΠΈ со Π²Ρ‚ΠΎΡ€Ρ‹ΠΌ β€” Π‘ΠΎΠ±Π°, ΠΎΡ‚ ΠΊΠΎΡ‚ΠΎΡ€ΠΎΠ³ΠΎ ΠΊΠ»ΡŽΡ‡ Π΅ΡΡ‚ΡŒ Π΅ΡΡ‚ΡŒ Ρ‚ΠΎΠ»ΡŒΠΊΠΎ Ρƒ Π‘ΠΎΠ±Π°). Алиса снимаСт свой Π·Π°ΠΌΠΎΠΊ, ΠΈ отправляСт ящик ΠΎΠ±Ρ€Π°Ρ‚Π½ΠΎ Π‘ΠΎΠ±Ρƒ Π‘ΠΎΠ±Ρƒ ΠΏΡ€ΠΈΡ…ΠΎΠ΄ΠΈΡ‚ ящик с ΡƒΠΆΠ΅ ΠΎΠ΄Π½ΠΈΠΌ Π΅Π³ΠΎ Π·Π°ΠΌΠΊΠΎΠΌ ΠΎΡ‚ ΠΊΠΎΡ‚ΠΎΡ€ΠΎΠ³ΠΎ Ρƒ Π½Π΅Π³ΠΎ Π΅ΡΡ‚ΡŒ ΠΊΠ»ΡŽΡ‡ Π‘ΠΎΠ± ΠΎΡ‚ΠΏΠΈΡ€Π°Π΅Ρ‚ ΠΎΡΡ‚Π°Π²ΡˆΠΈΠΉΡΡ Π΅Π³ΠΎ Π·Π°ΠΌΠΎΠΊ своим ΠΊΠ»ΡŽΡ‡Π΅ΠΌ, ΠΈ Ρ‡ΠΈΡ‚Π°Π΅Ρ‚ сообщСниС.
    • What is the insecurity of Blowfish? - Vladimir Martyanov