0

I need to treat the user passwords for hashing etc before storing them in database so that in case when database security is compromised the hackers don't get plain text passwords directly.

Is there any java library that allows for treating these passwords before DB storage & also allow for performant match checking when user attempts login.

Rajat Gupta
  • 25,853
  • 63
  • 179
  • 294
  • 1
    what do you understand by treating? what is wrong with standard hash functions like md5/sha etc? – Iłya Bursov Oct 30 '13 at 22:17
  • By "treating", I mean generate a secure hash & salt for the password. I'm looking for a library to generate these hashes or otherwise is there any package in java7 that provides this ? – Rajat Gupta Oct 30 '13 at 22:21
  • possible duplicate of [Java - Hash algorithms - Fastest implementations](http://stackoverflow.com/questions/5446080/java-hash-algorithms-fastest-implementations) – Iłya Bursov Oct 30 '13 at 22:21
  • [have a look on this other question](http://stackoverflow.com/questions/2860943/suggestions-for-library-to-hash-passwords-in-java) in case you need a complete crypto library: check out bouncy castle – gadget Oct 30 '13 at 22:24
  • @Ilya Bursov: that question is not specific to user passwords hashing, I suppose. I' m not looking for a fastest one also. – Rajat Gupta Oct 30 '13 at 22:53
  • @user01 what is the difference between hashing and password hashing? – Iłya Bursov Oct 30 '13 at 22:59
  • @user01 if you speak in terms of security, of course md5/sha-1 are not very good variants, but all links on this pages give alternatives like sha-2, bcrypt etc – Iłya Bursov Oct 30 '13 at 23:01

2 Answers2

1

There are certainly Java libraries for crypto, but you don't need a library to compute a salted hash and to compare strings. Just pick a strong hashing algorithm and a reasonably long salt. Take a look at this link for an in-depth introduction.

Raffaele
  • 20,627
  • 6
  • 47
  • 86
1

If you really value security, it's best to use a hashing function designed for passwords over a simple one like MD5 or SHA. Some examples are PBKDF2, Bcrypt or Scrypt, all should have available Java libraries.

If you implement salting yourself, please use long salts and don't reuse them between users.

Murph
  • 1,479
  • 2
  • 13
  • 26