Learn Java hashing algorithms in-depth for hashing the passwords. A secure password hash is an encrypted sequence of characters obtained after applying specific algorithms and manipulations on user-provided passwords, which are generally very weak and easy to guess. Show
There are many such hashing algorithms in Java that can prove effective for password security. ImportantPlease remember that once the password hash has been generated, we can not convert the hash back to the original password. Each time a user login into the application, we must generate the password hash again and match it with the hash stored in the database. So, if a user forgets his/her password, we will have to send him a temporary password; or ask him to reset the password. It’s common nowadays, right? Table Of Contents
1. Simplest password hash with MD5 AlgorithmThe MD5 Message-Digest Algorithm is a widely used cryptographic hash function that produces a 128-bit (16-byte) hash value. It’s very simple and straightforward; the basic idea is to map data sets of variable length to data sets of a fixed size. To do this, the input message is split into chunks of 512-bit blocks. Padding is added to the end so that its length can be divided by 512. These blocks are processed by the MD5 algorithm, which operates in a 128-bit state, and the result will be a 128-bit hash value. After applying MD5, the generated hash is typically a 32-digit hexadecimal number. Here, the password to be encoded is often called the “message” and the generated hash value is called the message digest or simply “digest”. 1.1. Java MD5 Hashing Example
1.2. Disadvatanges
If you are using MD5 hash in your application, consider adding some salt to your security. 2. Making MD5 More Secure using SaltKeep in mind, adding salt is not specific to MD5. We can add a Salt to every other algorithm also. So, please focus on how it is applied rather than its relation with MD5.
The original intent of salting was primarily to defeat pre-computed rainbow table attacks that could otherwise be used to significantly improve the efficiency of cracking the hashed password database. A more significant benefit is to slow down parallel operations that compare the hash of a password guess against many password hashes at once. ImportantWe always need to use a SecureRandom to create good salts. The Java SecureRandom class supports the “SHA1PRNG” pseudo-random number generator algorithm, and we can take advantage of it. 2.1. How to generate SaltLet’s see how we should generate salt.
SHA1PRNG algorithm is used as a cryptographically strong pseudo-random number generator based on the SHA-1 message-digest algorithm. Note that if a seed is not provided, it will generate a seed from a true random number generator (TRNG). 2.2. Generate MD5 with SaltNow, let’s look at the modified MD5 hashing example:
Please note that now you have to store this salt value for every password you hash. Because when user login back into the system, we must use only originally generated salt to create again the hash to match with the stored hash. If a different salt is used (we are generating random salt), then generated hash will be different. Also, you might hear of the terms crazy hashing and salting. It generally refers to creating custom combinations.
Do not practice these crazy things. They do not help in making hashes further secure anyhow. If you want more security, choose a better algorithm. 3. Better Password Security using SHA AlgorithmsThe SHA (Secure Hash Algorithm) is a family of cryptographic hash functions. It is very similar to MD5, except it generates more strong hashes. However, SHA hashes are not always unique, and it means that we could have equal hashes for two different inputs. When this happens, it’s called a “collision”. The chances of collision in SHA are less than MD5. But, do not worry about these collisions because they are very rare. Java has four implementations of the SHA algorithm. They generate the following length hashes in comparison to MD5 (128-bit hash):
A longer hash is more challenging to break. That’s the core idea. To get any implementation of the algorithm, pass it as a parameter to 4. e.g.
3.1. Java SHA Hashing ExampleLet’s create a test program to demonstrate SHA hash generation:
Very quickly, we can say that SHA-512 generates the most robust Hash. 4. More Strong Hashes using PBKDF2WithHmacSHA1 AlgorithmSo far, we have learned about creating secure hashes for passwords and using salt to make it even more secure. But the problem today is that hardwares have become so fast than any brute force attack using dictionary and rainbow tables, a bad actor can crack any password in less or more time. To solve this problem, the general idea is to make brute force attacks slower to minimize damage. Our following algorithm works on this very concept. The goal is to make the hash function slow enough to impede attacks but still fast enough to not cause a noticeable delay for the user. This feature is essentially implemented using some CPU-intensive algorithms such as PBKDF2, Bcrypt or Scrypt. These algorithms take a work factor (also known as security factor) or iteration count as an argument. Iteration count determines how slow the hash function will be. When computers become faster next year, we can increase the work factor to balance it out. Java has implemented “PBKDF2” algorithm as “PBKDF2WithHmacSHA1“. 4.1. Java PBKDF2WithHmacSHA1 Hash ExampleLet’s look at the example of how to use PBKDF2WithHmacSHA1 algorithm.
4.2. Verifying PasswordsThe next step is to have a function that we can use to validate the password again when the user comes back and login.
Please refer to functions from the above code samples. If found any difficulty, then download the source code attached at the end of the tutorial. 5. Hashes using Bcrypt and ScryptThe concepts behind bcrypt is similar to the previous concept as in PBKDF2. It just happened to be that Java does not have any inbuilt support for bcrypt algorithm to make the attack slower but still, you can find one such implementation in the attached source code. 5.1. Creating Hash using Bcrypt with SaltLet’s look at the sample usage code (BCrypt.java is available in the source code). 0 15.2. Creating Hash using Scrypt with SaltLike bcrypt, I have downloaded scrypt from github and added the source code of the scrypt algorithm in the sourcecode. |