0

I use MD5 algorithm to hash passwords with salt. After registering a user, I store both hashed password and salt in my SQL database. Unfortunately, when I retrieve them, later, so as to compare them with the user's input I address a problem with the encoding of salt. I store salt as VARCHAR(16) and when I try to retrieve it from my DataBase, it converts in a different form. This is my code :

ResultSet rs = stmt.executeQuery("SELECT * FROM users");
String DB_salt1 = rs.getString("Salt");
byte [] DB_salt = DB_salt1.getBytes();

I used some System.out.println(); functions in order to locate the problem and I found out that byte [] DB_salt = DB_salt1.getBytes(); outputs the wrong salt, while String DB_salt1 = rs.getString("Salt"); outputs the proper one. My guess is that it happens byte loss.

EDIT: To clarify, the proper salt and the one stored in my DataBase, let's say is [B@4e25154. String DB_salt1 = rs.getString("Salt"); stores this salt; the proper one. But when byte [] DB_salt = DB_salt1.getBytes(); is executed, it outputs a different salt, which ruins the whole process.

Xaris
  • 73
  • 1
  • 7
  • Possible duplicate of [Where do you store your salt strings?](http://stackoverflow.com/questions/1219899/where-do-you-store-your-salt-strings) – Raedwald Jul 01 '16 at 11:43
  • 5
    Don't use MD5 for passwords, that's not what it is designed for. Other algorithms, like bcrypt, are way better, and actually handle storing the salt for you. – stuXnet Jul 01 '16 at 11:43
  • If you execute .getBytes() you get bytes, if you execute getString() you get a String. Both of them have a different appearance, because they are different data types @stuXnet isn't MD5 the standard and most used way to hash passwords? – KJaeg Jul 01 '16 at 11:47
  • @KJaeg I wouldn't say it's "the standard"™, but yes, I'm afraid it's the most used way to hash passwords, even if it _really_ shouldn't be. – stuXnet Jul 01 '16 at 12:01
  • @stuXnet Ok, thanks for the information. Back in university our professor for IT-security told, that we should use the algorithms, which are mostly used, because the reason why they are used is that until now no one figured out to crack them. Back then, MD5 was the top algorithm. – KJaeg Jul 01 '16 at 12:27
  • To be more specific, the function that returns the hashed password takes two parameters; one is the salt and the other the password to hash. The salt, obviously, is a byte array (byte[]) variable. So I want to know, how to properly store the salt in the DB and then how to retrieve it. – Xaris Jul 01 '16 at 12:32
  • If you want to securely save the password hash in the DB you must use a HMAC-like function that is iterated to require a substantial amount of time to calculate. Use password_hash, bcrypt, PBKFF2, script or another such method. Just hashing with a salt is not secure. You need to decide if you want security or just a half-hearted attempt that an attack can exploit. – zaph Jul 01 '16 at 13:26
  • For more information see: See OWASP (Open Web Application Security Project) [Password Storage Cheat Sheet](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet#Leverage_an_adaptive_one-way_function). See [How to securely hash passwords, The Theory](http://security.stackexchange.com/questions/211/how-to-securely-hash-passwords/31846#31846) on Security Stackexchange. – zaph Jul 01 '16 at 13:29

1 Answers1

-1

The best way to store the passwords in the Database is using Bcrypt. With this you don't need to store the salt.

Below is the sample code that uses Bcrypt.

1) String pw_hash = BCrypt.hashpw("PLAIN PASSWORD", BCrypt.gensalt());

2) Store the pw_hash in DB

3) if(BCrypt.checkpw("PLAIN PASSWORD", pw_hash)){ System.out.println("Success Login"); }else{ System.out.println("Failure Login"); }

Steps 1 and 2 will be followed while user registering the password for the first time. While Step 3 is used if the given password is matching with the encrypted password.

Madan Reddy
  • 85
  • 3
  • Unfortunately, I want to store the salt as a part of the project. – Xaris Jul 01 '16 at 12:17
  • If you store the salt in DB, then anyone who has access to DB can see the salt and encrypt password. Using them they can decrypt the password easily. So it is highly security threat. – Madan Reddy Jul 01 '16 at 12:35
  • 3
    The salt is not a secret and hashing is not encryption. bcrypt infact stores the salt as part of the output, see [Bcrypt](https://en.wikipedia.org/wiki/Bcrypt). Example bcrypt output: "$2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy", the salt portion is " N9qo8uLOickgx2ZMRZoMye". – zaph Jul 01 '16 at 13:32