What have in mind when they say that it need to store password hash in the database?

Question

I am a novice in web development. I use Java and try develop simple pilot application with registration functionality. I do not want to store a user password in the database explicitly for security.

I was told that it is necessary to store the password hash. But what does this mean? What is hash? I know that in Java, every object has a unique hash code. This is what I need? I need to call method hashcode() of the password? Maybe I just need to apply the encryption method? Or first get the hash code for my password and then to encrypt it?

I think there are a lot of options and approaches for safety storing passwords. But what exactly is meant by the hash in this case?

Answer 1

It means that you don't store user password in plain text as user entered it on registration, instead hash the password with an irreversible hash algorithm such as MD5 and save this value to database.

Here is an answer that explains how to How can I generate an MD5 hash?

When checking password, hash the password user entered in login form using same algorithm, then compare it with the one saved in database.

Answer 2

Depending on how secure you need your users' passwords to be, then you may need to use cryptographic salt and stretching as well.

Salt means adding some random bytes to the password before hashing. That way if two users pick the same password then they will have different hashes. Store the salt alongside the hash and use it every time you need to recalculate the hash.

hash <- SHA256(password + salt)  // + is concatenation

Salting means that if one of your users has their password broken, then other users with the same password will have different hashes in the database, and so prevent the attacker immediately knowing their passwords as well. Salts can be 16 bytes long for good security.

Stretching means repeating the calculation a lot of times so it takes about 0.1 second to run. A tenth of a second delay will not affect your users, but will mean that anybody trying to guess a password can only make ten guesses a second.

hash <- SHA256(password + salt)
do 5000 times
  hash <- SHA256(hash + salt)
end do

Adjust the number 5000 to get the delay you want.

Answer 3

You are probably looking for the PASSWORD function of SQL. This is the simpliest solution to store any password encrypted in your database.

There you go: http://dev.mysql.com/doc/refman/5.1/en/password-hashing.html

Or just here: http://www.google.com/search?q=sql+function+password+hash

Answer 4

Instead of all the options, I would suggest you look up information about PBKDF2. PBKDF2 is implemented in Java.

byte[] salt = new byte[256 / Byte.SIZE];
SecureRandom defaultRNG = new SecureRandom();
defaultRNG.nextBytes(salt);

SecretKeyFactory f = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
KeySpec ks = new PBEKeySpec(password,salt,2000,256);
SecretKey s = f.generateSecret(ks);
final byte[] result = s.getEncoded();

You should store both the salt and the result. Perform the same calculation and binary compare the results to verify the password. I've used 256 bit salt and output size. Using SHA-1 is not an issue within PBKDF2. An iteration count of 2000 should be about the minimum, use a higher value if your application can handle the CPU requirements.

Answer 5

Main idea of storing hash instead of a password, plain or encrypted, is that hash is irreversible - anyone gains access to db and/or encryption keys, and still cannot know passwords. It's not just about obfuscation/encryption. Hash is used to loose information which allows to recover password and to make it impossible to recognize password in any way. Hash is any function you wish to use which guarantees desired degree of uniqueness and irreversibility - java hash code is easy to duplicate, MD5 and SHA1 have known weaknesses. Now recommended is for example SHA-256.