Home arrow static arrow Java Programming [Archive] - password as hash value in db
Warning: Creating default object from empty value in /www/htdocs/w008deb8/wiki/components/com_staticxt/staticxt.php on line 51
Java Programming [Archive] - password as hash value in db
This topic has 14 replies on 1 page.

Posts:514
Registered: 28.10.02
password as hash value in db  
Jun 21, 2004 3:25 AM



 
Hello Folks,

i believe that hash value is a good method to save the password in the db.
but one thing i cant understand.

if i really can create the SAME hash everytime my Application user logins.
why nobody can get the password from the hash value?
i create the hash using this class
sun.misc.BASE64Encoder encoder = new sun.misc.BASE64Encoder();


regards.
Sako!
 

Posts:13,252
Registered: 24/10/97
Re: password as hash value in db  
Jun 21, 2004 3:30 AM (reply 1 of 14)



 

sun.misc.BASE64Encoder encoder = newsun.misc.BASE64Encoder();
Not a good hash generator as it is easy to invert. Use something like SHA-1 or MD5 in the JCE.

Also, when you generate the hash, generated the hash of the password concatenated with the user name. This way, two users wil the same password will not have the same hash value in the database.
 

Posts:514
Registered: 28.10.02
Re: password as hash value in db  
Jun 21, 2004 3:46 AM (reply 2 of 14)



 

Not a good hash generator as it is easy to invert. Use
something like SHA-1 or MD5 in the JCE.

Also, when you generate the hash, generated the hash
of the password concatenated with the user name.

have a good example about this method for me please?

thanks

 

Posts:2,830
Registered: 9/1/03
Re: password as hash value in db  
Jun 21, 2004 4:03 AM (reply 3 of 14)



 

Not a good hash generator as it is easy to invert.
Use
something like SHA-1 or MD5 in the JCE.

Also, when you generate the hash, generated the hash
of the password concatenated with the user name.

have a good example about this method for me please?


...
String hash = sha256(password + username)
however its not foolproof like sabre discusses
in the case of 2 users & passwords like:
joe:blogsjoeb:logs
so the solution is to use some salt (i.e. some numbers outside the range
of inputtable chars for usernames and passwords) and append them onto the end of the
password when hashing - of course you, need to store this salt also.
 

Posts:2,830
Registered: 9/1/03
Re: password as hash value in db  
Jun 21, 2004 4:05 AM (reply 4 of 14)



 
uhh, but then their passwords aren't the same.

blushes
 

Posts:13,252
Registered: 24/10/97
Re: password as hash value in db  
Jun 21, 2004 6:25 AM (reply 5 of 14)



 
have a good example about this method for me please?
See below. You may need to change the character encoding from ASCII. You could
probably re-use both BASE64Encoder and the MessageDigest to save having to
create them each time.

import java.security.*;import sun.misc.BASE64Encoder;public class SHA{    public static String hash(String stringToHash) throws Exception    {	MessageDigest md = MessageDigest.getInstance("SHA");	md.update(stringToHash.getBytes("ASCII"));	byte[] hashBytes = md.digest();	BASE64Encoder encoder = new BASE64Encoder();	return encoder.encode(hashBytes);    }      static public void main(String[] args)    {	try {	    String stringToHash = "User Name" + "Password";	    System.out.println(stringToHash + " hashed to " + hash(stringToHash));	}	catch (Exception e)	{	    System.out.println("Problem, exception = "+ e);	    e.printStackTrace(System.out);	}    }}
 

Posts:6,750
Registered: 1/25/04
Re: password as hash value in db  
Jun 21, 2004 8:51 AM (reply 6 of 14)



 
Also, when you generate the hash, generated the hash
of the password concatenated with the user name. This
way, two users wil the same password will not have the
same hash value in the database.

This seems to imply you want to afford the same level of protection to usernames as to passwords, which strikes me as unnecessary. What I would do is store the username in clear text and a one-way hash of the password. When someone enters a username and password, hash the password and look in the database for a match on both fields. Simple.
 

Posts:13,252
Registered: 24/10/97
Re: password as hash value in db  
Jun 21, 2004 12:34 PM (reply 7 of 14)



 
Also, when you generate the hash, generated the hash
of the password concatenated with the user name.
This
way, two users wil the same password will not have
the
same hash value in the database.

This seems to imply you want to afford the same level
of protection to usernames as to passwords, which
strikes me as unnecessary. What I would do is store

This is not trying to add any protection to the username! The username would be stored in the DB in plain text form. All adding the username into the hash does is to (almost certainly) make the hash value for two users different even if their passwords are the same.

the username in clear text and a one-way hash of the
password. When someone enters a username and
password, hash the password and look in the database
for a match on both fields. Simple.
 

Posts:6,750
Registered: 1/25/04
Re: password as hash value in db  
Jun 21, 2004 1:18 PM (reply 8 of 14)



 
But isn't that more complex than simply looking up both username and password hash, with no additional value?
 

Posts:37,103
Registered: 3/30/99
Re: password as hash value in db  
Jun 21, 2004 1:30 PM (reply 9 of 14)



 
But isn't that more complex than simply looking up
both username and password hash, with no additional
value?

Also more secure.
 

Posts:6,750
Registered: 1/25/04
Re: password as hash value in db  
Jun 21, 2004 1:33 PM (reply 10 of 14)



 
Meaning it's harder to snoop a username? If the connection is encrypted and the database server is well-protected it would seem redundant, and if not, then irrelevant.
 

Posts:37,103
Registered: 3/30/99
Re: password as hash value in db  
Jun 21, 2004 1:41 PM (reply 11 of 14)



 
Meaning it's harder to snoop a username? If the
connection is encrypted and the database server is
well-protected it would seem redundant, and if not,
then irrelevant.

I think you're missing the point.

Username is still stored plain text. Password column, however, instead of storing a hash of just password, stores hash of (username + password). We're not trying to protect the username. We're trying to make it so that if two user's have the same password, they won't have the same value stored in the password column.
 

Posts:6,750
Registered: 1/25/04
Re: password as hash value in db  
Jun 21, 2004 3:01 PM (reply 12 of 14)



 
OK, what's the problem with two users having the same value stored in the password column?
 

Posts:3,055
Registered: 18/06/98
Re: password as hash value in db  
Jun 21, 2004 3:17 PM (reply 13 of 14)



 
If you break the first user's password, you will break the second automatically.
It is not difficult to break hashed passwords if you have no special policies for choosing passwords, but if you have carefully chosen passwords, you will have to break the second password instead of simply getting it for free if you have access to the password database and find two passwords that match.
 

Posts:37,103
Registered: 3/30/99
Re: password as hash value in db  
Jun 21, 2004 3:18 PM (reply 14 of 14)



 
OK, what's the problem with two users having the same
value stored in the password column?

In and of itself, nothing. But if it's known that only the password itself goes into generating that hash, then knowing one of those passwords gives you the other. Probably not a real problem in most situaitons, but as a general principle, you don't want to have the ability to derive one from the other.
 
This topic has 14 replies on 1 page.