0

I used years ago a java (spring) framework for hashing passwords and store them in a database. But I can't remember the name.

The advantage was, that it didn't only stored the hashed value with salt etc. but also the information about the used algorithm and and the configuration like {'alg':'bcrypt', { 'salt':'dsjhjdsfh', 'iter':'356178372', ..}, 'hash':'ju3j7HJghkdfk'}

So it was possible to change the algorithm, so new passwords were using them automatically, old password could be verified automatically with the old algorithm, but after successful validation they were updated with the new algorithm.

Does this framework still exists, because I was searching really hard, but had no luck.

Michael D.
  • 71
  • 2
  • 6

1 Answers1

1

Current implementations of BCrypt exist this way. Although they are not stored in a plaintext-JSON-like structure, you will still be able to change the algorithm or the number of rounds and the old hashes will still be able to verify correctly.

Refer to this particular answer to see how a BCrypt hash is generated and the metadata associated with it is stored as a single string.

It is already present in Spring framework or you can also get it as a separate library. Usage is also very simpler.

Community
  • 1
  • 1
gtux
  • 538
  • 3
  • 15
  • Thanks, that's good to know. As far I understand is BCrypt the state of the art. There was also PBKDF2 and is SCrypt and I heard about Argon2. So what I've in mind, is a framework, that wrappes arround that, because probably there were will be a better. So the bcrypt structure, is fine and great for bcrypt, but if you want to migrate to another one, you are again lost. But perhaps this framework is gone. – Michael D. Apr 27 '17 at 07:19