I have a group of users. Everyone of them has the same username-password combination. There is the data encrypted (see code below) in my db. The question is, what is the best and the most secure way to handle the whole use case? I just want to send username - password combo in an email, same email to every user. Should I just decode the password or save the text password for that period than user has sent the email and delete textual password after that or have you any ideas for that?
There is not so priceless data in my software but still...
private Users hashPasswordBase64(Users currentUser) {
try {
MessageDigest md = MessageDigest.getInstance("SHA-256");
String text = currentUser.getPassword();
md.update(text.getBytes("UTF-8"));
byte[] digest = md.digest();
currentUser.setPassword(Base64.encode(digest));
} catch (NoSuchAlgorithmException ex) {
Logger.getLogger(UsersController.class.getName()).log(Level.SEVERE, null, ex);
} catch (UnsupportedEncodingException ex) {
Logger.getLogger(UsersController.class.getName()).log(Level.SEVERE, null, ex);
}
I would recommend to decode the password on-the-fly, send the eMail, and dispose of the variable. Storing the password only makes it easier for a trojan to retrieve it.
Besides that I would suggest to provide a password that needs to be changed by the user after the very first login. This way, the user would be able to choose password that is easy to memorize for him and you won't have any problems sending out the clear-text passwords because this become invalid after a single use.