How Does Password Encryption Work well? Illustration With a Typical Example
Let's start from thinking about which all places can we actually need to put encryption into action and just how do we implement them? Except the wide ranging encryption done at the Database end, there's 2 popular approaches of implementing encryption - One, which is done at the client side (normally the one we will mainly mention in this article) and Two, which can be done at the server side (i.e., the request carries the specific password and at the server it's encrypted to become processed further). Bcrypt Hash Generator
The previous of the two is obviously advisable to have as it eliminates the chance of the request being intercepted in the center before it actually reaches the web/app server. Well... you can say that the data packaged in a HTTP POST request is automatically encrypted in case of HTTPS, but an extra level of encryption will only improve the security of the web application. Obviously, the implementation should not be too much time consuming otherwise the advantages of having a more secure application will probably be ruled over through the frustration it might provoke its end-users.
Though, this will depend upon the actual implementation, but possibly the preferred choice (in highly secure systems) is the actual password shouldn't be exposed anywhere in system, this means the encrypted password saved in DB is fetched and probably not decrypted to actual password that your end-user uses, but instead a few other form which is matched together with the decrypted one at the middle-tier to authenticate the user.
The entered password is first encrypted at the client side while using Public Key ('public key1' inside the above diagram) and then the encrypted password reaches the App Server where it's decrypted a corresponding Private Key ('private key1' from the above diagram). App Server also fetches the password kept in the database, which can need to be decrypted using another Private Key ('private key2' from the above diagram). Now, the implementation from the algorithms and the generation from the keys should be in ways that both the decrypted passwords 'decryptedpwd1' and 'decryptedpwd2' should match equal for the valid cases and they should be unequal otherwise. Decrypt Bcrypt Online
How else will we do it at the client side? Just how would Applets be?
Impl of different public/private keys for every new request: you may be aware of the Secure Key concept which forms included in the password on many systems. The actual idea in such implementations is usually to have part of the password which ensures you keep on changing on a continuous basis and so making it virtually impossible for that attackers to reckon that. Similarly, if we want to intensify the encryption strength to a even higher level, we could put in place different public/private key combinations for each new request.