Hashing Passwords in Java

Question

What is the best way to hash passwords to SHA1 in a mobile java application using SQLite?

Below is how the data is inserted into the database. I want the password to be hashed, preferably in SHA1. It will be used to Login on another page aswell so do i need to do a similar process in that java class?

SignUp.Java

public void onSignUpClick(View v) {
        if (v.getId() == R.id.Bsignupbutton) {
            EditText name = (EditText) findViewById(R.id.TFname);
            EditText email = (EditText) findViewById(R.id.TFemail);
            EditText uname = (EditText) findViewById(R.id.TFuname);
            EditText pass1 = (EditText) findViewById(R.id.TFpass1);
            EditText pass2 = (EditText) findViewById(R.id.TFpass2);
            String namestr = name.getText().toString();
            String emailstr = email.getText().toString();
            String unamestr = uname.getText().toString();
            String pass1str = pass1.getText().toString();
            String pass2str = pass2.getText().toString();
            if (!pass1str.equals(pass2str)) {
                //popup msg
                Toast pass = Toast.makeText(SignUp.this, "Passwords don't match!", Toast.LENGTH_SHORT);
                pass.show();
            } else {
                if (name.getText().toString().length() == 0) {
                    name.setError("Name Required");
                } else if (!email.getText().toString().matches("[a-zA-Z]{1}\\.[a-zA-Z]*[0-9]{4}@student\\.leedsbeckett\\.ac\\.uk")) {
                    email.setError("Incorrect Email Format");
                } else if (!uname.getText().toString().matches("[cC][0-9]{7}")) {
                    uname.setError("Incorrect ID Format");
                } else if (!pass1.getText().toString().matches("(?=.*[\\d])(?=.*[a-z])(?=.*[A-Z]).{8,}")) {
                    pass1.setError("Incorrect Password Format");
                } else {
                    //insert the details in database
                    Contact c = new Contact();
                    c.setName(namestr);
                    c.setEmail(emailstr);
                    c.setUname(unamestr);
                    c.setPass(pass1str);
                    helper.insertContact(c);
                    Toast pass = Toast.makeText(SignUp.this, "User Registered", Toast.LENGTH_LONG);
                    pass.show();
                    Intent i = new Intent(SignUp.this, com.example.oliver.beckettreg.MainActivity.class);
                    startActivity(i);
                }
            }
        }
    }

Jason · Answer 1 · 2016-04-15T17:56:49.923

You should not invent your own hashing and salting mechanisms.

Look at JBCrypt--a Java implementation of BCrypt:

http://www.mindrot.org/projects/jBCrypt/

The API is very simple:

// Hash a password for the first time
String hashed = BCrypt.hashpw(password, BCrypt.gensalt());

// gensalt's log_rounds parameter determines the complexity
// the work factor is 2**log_rounds, and the default is 10
String hashed = BCrypt.hashpw(password, BCrypt.gensalt(12));

// Check that an unencrypted password matches one that has
// previously been hashed
if (BCrypt.checkpw(candidate, hashed))
    System.out.println("It matches");
else
    System.out.println("It does not match");

score 0 · Answer 2 · answered Apr 15 '16 at 18:14

Take a use in Apache Commons Codec library.

https://commons.apache.org/proper/commons-codec/apidocs/org/apache/commons/codec/digest/DigestUtils.html#sha1Hex(java.lang.String)

final String SALT = "any strange string that you like";

String mySha1String = DigestUtils.sha1Hex(myString + SALT);

For database purposes, you should not change the salt, so, the sha1 will not be the same to the same string as input. Another thing, will not be better use SHA-3? A best standard?

Eugen Hotaj · Answer 3 · 2016-04-15T18:21:39.733

It will be used to Login on another page aswell so do i need to do a similar process in that java class?

Yes, you would have to replicate the hashing procedure when checking if a password is valid or not. The point of passwords is that they are stored in your database using a one way hash (with salt) so that if someone obtains maliciously obtains the hash of a password, there is no way for them to get the original password from the hash (in theory). In this way, password hashing is somewhat different than cryptography since once the original password is hashed (i.e encrypted), you don't really care about the original value of the password, meaning there is no need to have a hashing algorithm which can be reversed (decrypted) usually leading to stronger ciphers.

To more explicitly answer your question, in your Login Class (or wherever you do your password checking), once the user gives you their password, you will need to hash it again (using the same algorithm and the same salt) and test to see if this hash matches the password hash stored in the DB.

As for the hashing itself, as Jason pointed out, you shouldn't implement your own version of the algorithm since you're surely to make mistakes due to the complexity of such an algorithm. You should look for some packages which implement what you need.

score 0 · Answer 4 · edited May 23 '17 at 11:59

0

I suggest to use jBCrypt

jBCrypt is a Java™ implementation of OpenBSD's Blowfish password hashing code

Check it from here http://www.mindrot.org/projects/jBCrypt/

and this one : http://techblog.bozho.net/bcrypt-salt-its-the-bare-minimum/

For more info : How can I hash a password in Java?

edited May 23 '17 at 11:59

Community

1
1

answered Apr 15 '16 at 18:43

Jad Chahine

6,849
8
37
59

Hashing Passwords in Java

4 Answers4