0

How secure is a password converted to bytes, to binary, to hash. In a database? For like storing a jPasswordField password.

StarCoder
  • 251
  • 1
  • 3
  • 16
  • Hashing is encoding... Why would you possibly want to explicitly convert a string to bytes then to binary first? Just hash it with a modern hashing algorithm and be done. – doelleri Jun 08 '17 at 20:08
  • @doelleri Oh ok. Because I couldn't find a clean short way to convert a 'String' to binary. I know to with an 'int'. – StarCoder Jun 08 '17 at 20:44
  • @doelleri - Hashing, encryption and encoding are three different things. – martinstoeckli Jun 08 '17 at 20:53
  • @martinstoeckli You're right. I wasn't thinking on that one. I blame [Spring Security](https://docs.spring.io/spring-security/site/docs/current/apidocs/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.html). – doelleri Jun 08 '17 at 21:08

1 Answers1

0

Using a strong hash with a random salt is sufficiently safe. You will need to store both the hash and the salt in the database. You should read more about how to securely store user credentials, and if you have security questions, https://security.stackexchange.com/ may be a better forum.

Samuel
  • 16,923
  • 6
  • 62
  • 75
  • Ok, thank you. Would adding a binary conversion help with security? – StarCoder Jun 08 '17 at 20:46
  • 1
    Since hashes are non-reversable, hashing a plain-text password is just as secure as hashing a binary encoding of the plain-text password. It's unnecessary to encode the password in any other way prior to hashing. – Samuel Jun 08 '17 at 20:49
  • 1
    Hashing passwords with SHA-* is **not** safe, because it is way too fast, one can brute-force about [3 Giga SHA-256 per second](http://thepasswordproject.com/oclhashcat_benchmarking). That's why we need a password-hash function with a cost factor, to control the necessary time. – martinstoeckli Jun 08 '17 at 20:55
  • One more thing. Is there efficient way of using a salt? – StarCoder Jun 08 '17 at 20:58
  • @martinstoeckli good to know. I removed the suggestion of using sha-256 – Samuel Jun 08 '17 at 20:59
  • @StarCoder what do you mean an efficient way of using a salt? – Samuel Jun 08 '17 at 21:00
  • Short. Fast. And clean. – StarCoder Jun 08 '17 at 21:01
  • see this answer for a good hashing example in Java https://stackoverflow.com/questions/2860943/how-can-i-hash-a-password-in-java – Samuel Jun 08 '17 at 21:03
  • @StarCoder - The easiest way is to use a password-hash function like BCrypt, SCrypt, PBKDF2 or Argon2. Usually they all generate a salt on their own, and offer another function for verification. How this works, I tried to describe in another [answer](https://stackoverflow.com/a/20399775/575765). – martinstoeckli Jun 08 '17 at 21:04
  • @martinstoeckli Ok, thank you! I will check them out. – StarCoder Jun 08 '17 at 21:05