1

I used Apache library for hash password for two application in Linux. One of them is Pure-Ftp and another is my Application. I manually save hashed password in Pure-Ftp passwd file, It works fine and user can use Ftp with given user/password.
In my Application I want to authenticat user, But there is not any checkPassword(clearTextPassword, hashedPassword) function. 

import org.apache.commons.codec.digest.Crypt;
...
...
...
String hashedValue = Crypt.crypt(clearTextPassword);
..
M-Razavi
  • 3,327
  • 2
  • 34
  • 46
  • Well no, you need to *write* that code. Where are you storing the hashed passwords? It's really unclear what you're asking for here. (It's not clear what relationship there is between your password and FTP...) Also I would personally avoid using SHA-1 as a password hash for any serious work. – Jon Skeet Feb 03 '17 at 11:53
  • Just using a hash function is not sufficient and just adding a salt does little to improve the security. Instead iterate over an HMAC with a random salt for about a 100ms duration and save the salt with the hash. Use functions such as `PBKDF2` (aka `Rfc2898DeriveBytes`), `password_hash`/`password_verify`, `Bcrypt` and similar functions. The point is to make the attacker spend a lot of time finding passwords by brute force. Protecting your users is important, please use secure password methods. – zaph Feb 03 '17 at 14:29
  • I have thought SHA1 512 is secure, isn't it? I don't want to use bash function. I want to generate a hashed password once in Java, then save it in the database and Pure-Ftp's passwd file. – M-Razavi Feb 03 '17 at 15:08

1 Answers1

0

To verifying password, You can hash given simple password with savedHashedPassword as salt: 

  private static boolean checkPassword(String password, String hashedPassword) {
       String tmpHashedPassword = Crypt.crypt(password, hashedPassword);
       return hashedPassword.equalsIgnoreCase(tmpHashedPassword);

}

Crypt.crypt(password) Calculates the digest using the strongest crypt(3) algorithm. A random salt and the default algorithm (currently SHA-512) are used.

Mohammad Hadi
  • 183
  • 7