Dealing with passwords securely

I have a Java web service and a Java web client making use of this service. One of the functions is to create a new user account. My two concerns are:

1. How will I send the user's password securely from the client.
2. How will I store the user's password securely on the server.

How can I achieve these? I know the theory basically behind security, security algorithms etc but can anyone give me some advice on how I should go about in coding? Could anyone point me to some good (and if possible not complicated) examples to follow since I found some examples on the Interne开发者_如何学编程t very contorted?

Thanks a lot and regards, Krt_Malta

Typically, if you are concerned about the password being transmitted in the clear from the web client to the service, you would run the service through SSL.

On the back-end, I do not ever store the password in the clear, hashing it before storing it. Make sure to use salts. When the user logs in at a later date, I hash the password they submitted, and then compare the hashed value with the previously stored hashed value. If they match, then the user has authenticated. In my case there's more to it than this (with remember me features, etc.), but that it the guts of it.

I use the Apache Shiro framework to help with much of this. It is fairly lightweight and doesn't require a web-environment, but will work with one as well. It integrates with Spring and other solutions as well, but again, this is not required. Probably worth checking out.

John's rule: always try to avoid writing your own security software. It's too easy to make mistakes like encrypting instead of hashing, not using salts, etc. You won't find many security experts to review your code, but you can expect that quite a few have looked at the more popular open source systems.

Firstly, can you use OpenID or Shibboleth to avoid giving people yet another system that they need a password on -- I'd thank you if I could use an existing account!

If the answer is no, then for password storage, try a free LDAP server such as OpenDS or Apache Directory Server.

Use Spring Security or similar to manage the logins, and the remember-me. (There's a nice video that introduces spring security.)

You will need to use SSL (https) as mentioned in other answers if you want your system to communicate passwords from client to server.