Skip to main content

Posts

Showing posts from November, 2013

Salted hash implementation in Login, in nutshell

The best approach would be hashing the passwords, instead of encrypting them as key management becomes an issue. Benefits of passwords in form of salted hash: ·          Real passwords are never stored/ displayed/ logged in the system ·          Salts makes dictionary attack very impractical as it’s very difficult to generate    re-computed hash table as salts are random ·          It’s easier to implement as no need of key management A general approach would be like this (when storing): ·          Generate a long random salt using cryptographically strong functions such as SecureRandom in Java, when user is first time registering himself ·          Use the above salt and hash it with the user’s chosen password using standard and strong hashing algos like SHA 256 ·          Now strore the Username, salted hash and respective salt in DB When retrieving (authenticating user): ·          When the user submits his username-passw