How Does Password Encryption Work well? Illustration With a Typical Example
Let's begin from thinking about which all places can we actually need to put encryption into action and the way do we implement them? Except the wide ranging encryption done on the Database end, there are two popular approaches of implementing encryption - One, which is done in the client side (normally the one we will mainly mention in this article) and Two, that is done at the server side (i.e., the request carries your password and at the server it's encrypted being processed further). Decrypt Bcrypt Online
The first kind of the two is obviously advisable to have as it eliminates the chance of the request being intercepted in the centre before it actually reaches the web/app server. Well... you can say that the data packaged in a HTTP POST request is automatically encrypted in case there is HTTPS, but an extra amount of encryption will only improve the security of the web application. Needless to say, the implementation shouldn't be too much time consuming otherwise the benefits of having a more secure application will probably be ruled over by the frustration it might provoke its end-users.
Though, it depends upon the actual implementation, but possibly the preferred choice (in highly secure systems) is that the actual password should not be exposed anywhere in system, this means the encrypted password saved in DB is fetched and probably not decrypted to actual password that this end-user uses, but instead some other form which is matched with all the decrypted one at the middle-tier to authenticate an individual.
The entered password is first encrypted in the client side with all the Public Key ('public key1' in the above diagram) and then the encrypted password reaches the App Server where it's decrypted a corresponding Private Key ('private key1' within the above diagram). App Server also fetches the password stored in the database, which might need to be decrypted using another Private Key ('private key2' in the above diagram). Now, the implementation from the algorithms and the generation in the keys should be in ways that both the decrypted passwords 'decryptedpwd1' and 'decryptedpwd2' should match equal for all your valid cases plus they should be unequal otherwise. Hash Bcrypt
How else can we do it at the client side? How good would Applets be?
Impl of public/private keys for every new request: you would probably be aware of the Secure Key concept which forms an element of the password on many systems. The root idea in such implementations is to have part of the password which will keep on changing with a continuous basis and thus making it virtually impossible for that attackers to estimate that. Similarly, if we want to boost the encryption strength to an even higher level, we can easily put in place different public/private key combinations for each new request.