The safest way to store passwords in your application is not to store them at all. Instead create a virtual representation of the password in a form of a salted hash.
Standard security practices require that passwords cannot be stored in plain text. Unlike SSL encryption, a password does not need to be decrypted to be compared with some value; instead, a one-way computationally intensive virtual representation, or a hash, is created for that value with a hashing function.
Hashing function produces the same random string for the same phrase, making it vulnerable to dictionary attacks, so an additional random string, called a salt, is generated and fed into the hashing function to produce a truly unique value.
While verifying a user’s password, the stored salted hash is read. The stored hash itself contains the salt with which it was generated. Hashing function takes the same salt to generate a salted hash of the provided text value. The resulting hash is then compared to the original hash.
A great library to use for password hashing operations is Bcrypt. It is currently accepted as the standard in cryptographic algorithms.
Add the following line to build.sbt.
Add a Hash utility to your project.
See the complete example at LineDrop Play/Scala Web Application - User Model.
Make sure that the password is sent over HTTPS.
Browse related articles