1

I'm working on a school project making a java program including a login/subscribe form.

Because it's for school I'm not supposed to include any third-party library like jBcrypt or other strong hashing function. I think about generating one salt per user with a sha256 of java.security.random but I don't know what hashing function to use for the password. I don't want to use only one iteration of a sha256/512 as it's a bit weak and I also don't want to make a for loop with 100 iteration of a sha256/512 as I guess if bcrypt and others exist it''s because iterating sha isn't enough (and also because I know it's always a bad idea to try reinventing cryptography by yourself).

So what built-in hashing function should I use to store my password ?

NB. I know that in this case (school project) the login data don't deserve a very good security (and it's also not required by my subject) but I want to do it as good as possible so please don't answer that a md5/sha512 hash would be enough for such a situation.

IggY
  • 3,005
  • 4
  • 29
  • 54

2 Answers2

1

I suggest that you study how to use SHA256 and 512 for passwords, with some care about salting.

See e.g. http://www.jasypt.org/howtoencryptuserpasswords.html

Section "6. Doing it in Java" describes the Java methods you could use to implement the algorithm if you do not want to use an external library.

Good luck!

TFuto
  • 1,361
  • 15
  • 33
0

Use PBKDF2WithHmacSHA1 with as many iterations as the user is willing to wait for. I would suggest 10,000.

This is pertinent: http://en.wikipedia.org/wiki/PBKDF2#BlackBerry_vulnerability

Sarel Botha
  • 12,419
  • 7
  • 54
  • 59