Password hashing in Java

I was recently asked to provide db based user authentication for a relatively application, which user primarily ldap user authentication. This nearly backdoor-looking feature is only for a handful of users which made it ideal for experimentation. I could have stored user passwords as plain-text and nobody else would ever know, but the one person that would know matters the most, me.

Almost every application uses passwords for user autentization. Although in complex environment, you don't usually want users to have different password for every application, there are situations that needs different approach. And in those times, security shouldn't be taken lightly. Whether you are writing small intranet application, or full scale internet application, you should always protect your user's accounts, because a lot of studies suggest that majority of users use the same password for everything, so for these users, when one application falls, they all fall. That is the reason why have i decided to do a small research how to protect user passwords the right way.

The most commom way to protect passwords from being misused when stolen is hashing. Hashing algoritms are often supplied with random characters alongside with plain-text passwords, this is called salting. Salted hash is better protected against brute-force attack, because of a higher complexity.

I have considered several approaches and picked one that has suited me the most. I am now using hashing utility jBCrypt. It is a powerfull tool with very simple API and very good security.

jBCrypt's API provides two main methods and one support method. Hashing password is done by hashpw method, it takes plain-text and salt as arguments. Returned hash is always 60 characters long, so storing the hash in database is quite simple as CHAR(60) is enough.
BCrypt.hashpw(password, BCrypt.gensalt());
Method gensalt is adjustable by passing optional int argument for complexity. Accepted values are 4 to 31 (default is 10 and higher number means more complex salt).

The second important method is used for password verification. Method checkpw has two parameters, the first is a plain-text password and the second one is the hash created by previous method. Returned value is true, if the password matches the hash or false in other cases.
BCrypt.checkpw(candidate, hashed);
I really like this implementation of BCrypt, as it is only one java class, which makes it easy to incorporate it into any project.

Comments

Post a Comment

Popular posts from this blog

Automatic jsp recompile on Jboss AS 7

Image
Most of the applications I work on are based on jsp's and usually run on Jboss AS of various versions. And even though the newer applications are maven based and run on Jboss AS 7, almost nothing have changed in a matter of development. At least I thought that nothing have changed, but that was only because my carelessness. When you are developing web tier, there is no compiler telling you what is wrong in the real time, you depend on syntax validation only. And that enables you to do a lot of small mistakes that usually end up with error 500 and a need to redeploy the application. But this is the case only until you discover the right configuration!
Read more

Maven build notifications

Image
Setting up new environment is usually a great time to reflect on all the great things and all the bad things you had encountered in the past. Now I had just experienced this very moment twice in a row, thus resulting in a full scale tools revision. One of the things I have always overlooked were command line aliases. Once I decided to use aliases, another question was in order: Why to stop there, isn't there a way to put them to even better use? And after a while of googling I found a great article http://erics-notes.blogspot.cz/2013/06/maven-ant-alerts-in-ubuntu.html , it describes how to get system notifications from command line.
Read more

How to update XML file without reformatting it

Recently, I needed to modify content of a few thousands XML files. The modification itself was nontrivial and consisted of reading two attributes from an element and then updating a value of a previously read attribute. And to make it even more interesting, I wanted to keep the formatting of all files intact. My goal was creating a reusable utility that could be used also in the future, should such a need rise again. Because of the need to preserve the formatting, I rejected all tools I usually use (Dom4j, SAX, Jaxb) and started to search for a suitable tool. Finally I found the answer in a form of a recommendation on http://stackoverflow.com , the tool recommended was VTD-XML (or on github ).
Read more