Password hashing in Java

I was recently asked to provide db based user authentication for a relatively application, which user primarily ldap user authentication. This nearly backdoor-looking feature is only for a handful of users which made it ideal for experimentation. I could have stored user passwords as plain-text and nobody else would ever know, but the one person that would know matters the most, me.

Almost every application uses passwords for user autentization. Although in complex environment, you don't usually want users to have different password for every application, there are situations that needs different approach. And in those times, security shouldn't be taken lightly. Whether you are writing small intranet application, or full scale internet application, you should always protect your user's accounts, because a lot of studies suggest that majority of users use the same password for everything, so for these users, when one application falls, they all fall. That is the reason why have i decided to do a small research how to protect user passwords the right way.

The most commom way to protect passwords from being misused when stolen is hashing. Hashing algoritms are often supplied with random characters alongside with plain-text passwords, this is called salting. Salted hash is better protected against brute-force attack, because of a higher complexity.

I have considered several approaches and picked one that has suited me the most. I am now using hashing utility jBCrypt. It is a powerfull tool with very simple API and very good security.

jBCrypt's API provides two main methods and one support method. Hashing password is done by hashpw method, it takes plain-text and salt as arguments. Returned hash is always 60 characters long, so storing the hash in database is quite simple as CHAR(60) is enough.
BCrypt.hashpw(password, BCrypt.gensalt());
Method gensalt is adjustable by passing optional int argument for complexity. Accepted values are 4 to 31 (default is 10 and higher number means more complex salt).

The second important method is used for password verification. Method checkpw has two parameters, the first is a plain-text password and the second one is the hash created by previous method. Returned value is true, if the password matches the hash or false in other cases.
BCrypt.checkpw(candidate, hashed);
I really like this implementation of BCrypt, as it is only one java class, which makes it easy to incorporate it into any project.

Comments

  1. for ict 99January 23, 2016 at 11:37 PM

    Great Article Java Password Hashing

    Java Training in Chennai | Java EE online training

    ReplyDelete
  2. Esma KalanJuly 9, 2021 at 12:32 PM

    no deposit bonus forex 2021 - takipçi satın al - takipçi satın al - takipçi satın al - tiktok takipçi satın al - instagram beğeni satın al - instagram beğeni satın al - google haritalara yer ekleme - btcturk güvenilir mi - izlenme-satin-al.com - numarasmsonay.com - borsagazete.com - takipcisatinals.com - izlenme-satin-al.com/youtube - google haritalara yer ekleme - altyapısız internet - mikrofiber havlu - forexbonus2020.com - tiktok jeton hilesi - tiktok beğeni satın al - microsoft word ücretsiz indir - misli apk indir - binance güvenilir mi - takipçi satın al - mikrofiber havlu - uc satın al - takipçi satın al - takipçi satın al - finanspedia.com

    ReplyDelete
  3. UnknownJuly 26, 2021 at 4:02 AM

    instagram takipçi satın al
    instagram takipçi satın al
    takipçi satın al
    instagram takipçi satın al
    takipçi satın al
    aşk kitapları
    tiktok takipçi satın al
    instagram beğeni satın al
    youtube abone satın al
    twitter takipçi satın al
    tiktok beğeni satın al
    tiktok izlenme satın al
    twitter takipçi satın al
    tiktok takipçi satın al
    youtube abone satın al
    tiktok beğeni satın al
    instagram beğeni satın al
    trend topic satın al
    trend topic satın al
    youtube abone satın al
    beğeni satın al
    tiktok izlenme satın al
    sms onay
    youtube izlenme satın al
    tiktok beğeni satın al
    sms onay
    sms onay
    perde modelleri
    instagram takipçi satın al
    takipçi satın al
    tiktok jeton hilesi
    pubg uc satın al
    sultanbet
    marsbahis
    betboo
    betboo
    betboo

    ReplyDelete
  4. UnknownAugust 12, 2021 at 1:57 PM

    marsbahis
    betboo
    sultanbet
    marsbahis
    betboo
    sultanbet

    ReplyDelete
  5. UnknownAugust 25, 2021 at 6:26 PM

    ucuz takipçi
    ucuz takipçi
    tiktok izlenme satın al
    binance güvenilir mi
    okex güvenilir mi
    paribu güvenilir mi
    bitexen güvenilir mi
    coinbase güvenilir mi
    instagram takipçi satın al
    instagram takipçi satın alz

    ReplyDelete
  6. UnknownApril 27, 2022 at 9:01 AM

    bitcoin nasıl alınır
    tiktok jeton hilesi
    youtube abone satın al
    gate io güvenilir mi
    referans kimliği nedir
    tiktok takipçi satın al
    bitcoin nasıl alınır
    mobil ödeme bozdurma
    mobil ödeme bozdurma

    ReplyDelete
  7. UnknownMay 2, 2022 at 6:43 AM

    mmorpg oyunlar
    instagram takipçi satın al
    tiktok jeton hilesi
    Tiktok jeton hilesi
    Sac ekimi antalya
    ınstagram takipçi satin al
    İnstagram Takipçi Satın Al
    metin2 pvp serverlar
    TAKİPÇİ SATIN AL

    ReplyDelete
  8. UnknownMay 17, 2022 at 11:36 PM

    perde modelleri
    MOBİL ONAY
    türk telekom mobil ödeme bozdurma
    nft nasıl alınır
    Ankara evden eve nakliyat
    trafik sigortasi
    dedektör
    Web sitesi kurma
    aşk kitapları

    ReplyDelete
  9. SingharnavMay 23, 2023 at 10:35 PM

    If you're seeking the Best Animation and Multimedia Training in Noida, APTRON Noida is a perfect choice. With our comprehensive courses, experienced trainers, cutting-edge infrastructure, and placement assistance, we ensure that you receive a top-notch learning experience. Join us at APTRON Noida and take the first step towards a successful career in the exciting world of animation and multimedia.

    ReplyDelete

Post a Comment

Popular posts from this blog

Automatic jsp recompile on Jboss AS 7

Image
Most of the applications I work on are based on jsp's and usually run on Jboss AS of various versions. And even though the newer applications are maven based and run on Jboss AS 7, almost nothing have changed in a matter of development. At least I thought that nothing have changed, but that was only because my carelessness. When you are developing web tier, there is no compiler telling you what is wrong in the real time, you depend on syntax validation only. And that enables you to do a lot of small mistakes that usually end up with error 500 and a need to redeploy the application. But this is the case only until you discover the right configuration!
Read more

Ldap security for JAMWiki

My last post was dedicated to using LDAP as security back end for Jenkins-CI . Now I would like to present a process of enabling the same security for my favourite wiki implementation ... JAMWiki . This post refers to version 1.2.0 . I believe that it is a shame, that this is not well documented. There is a commented-out section in config xml (WEB-INF/applicationContext-security.xml), but it does not work out of the box as I have hoped for and it's modification is not an easy task for someone not familiar with spring security. That is why I wrote this post. What I wanted to achieve was to connect the JAMWiki's security (users and roles) to my LDAP, that was presented in my last post. As it is always easier to manage users on the same place. This process is described on JAMWiki's web , but it is certainly not in a copy-paste form and it took me quite some time to modify into working piece of code.
Read more