2

I have been told to not be creating my own salt and hashing methods. Due to the ones already existing in java being far superior. After looking into it a bit, I do not quite understand the following;

  • What is the difference between creating the hash, and verifying it?
  • If the salt is random everytime, don't you need a token to verify passwords other than the username?

how do generate and verify hashed and salted passwords in an contemporary way for a java web application?

Jonas Grønbek
  • 1,709
  • 2
  • 22
  • 49
  • Yes, the salt is stored along with the hashed password. You should look into using bcrypt, scrypt, PBKDF2, or Argon2. See also https://security.stackexchange.com/questions/4781/do-any-security-experts-recommend-bcrypt-for-password-storage/6415#6415 – David Conrad May 22 '18 at 10:15
  • 2
    "I have been told of creating my own salt and hashing methods" ... as an academic exercise, or for production code? If it's former, fine. If it's the latter, **do not write your own crypto**. – Michael May 22 '18 at 10:15

1 Answers1

2

Here is usual approach storing password with Hashing.

What is the difference between creating the hash, and verifying it?

  1. Take the plain text password, add a random salt, then store the salt and the hashed password in the database.
  2. When a user wanted to log in, you take their submitted password, add the random salt from their account information, hash it and see if it equates to the stored hash password with their account information.

If the salt is random every time, don't you need a token to verify passwords other than the username?

If you see #2, token may be required for session purposes, but not for Authentication(checking if user is legitimate.)

There is good questions of same subject. There are good working examples related to same that you could utilize.

Red Boy
  • 5,429
  • 3
  • 28
  • 41
  • But if the salt is random when storing, and when authentication they should not be the same? – Jonas Grønbek May 22 '18 at 11:53
  • 3
    @JonasGrønbek, while authentication, you read the stored salt with user profile, so yes, you could say, salt is some for particular user everytime as you are storing it in user profile. Though once you authenticated correctly everytime, you could again generate the salt and recalculate the Hash if required. – Red Boy May 22 '18 at 11:57