Reputation: 11337
Hash (with Spring) and salt: is this safe?
I've a Spring based web app, so I came up using spring-security-3.0.8 (I know, that's not a good reason, lol) and I find out the PasswordEncoder class. In my case I'm using the Md5PasswordEncoder, but I'm not sure if could be the best implementation.
The salt is generated by a SecureRandom.
The whole code is something like this:
String salt = new BigInteger(130, random).toString(32);
user.setSalt(salt);
user.setPassword(passwordEncoder.encodePassword(user.getPassword(), salt));
db.save(user);
I don't really need big security but it's just for knowledge's sake. :)
(what about making the salt big as the hash putting the bit to 160?)
Upvotes: 2
Views: 1079
Answers (1)
Reputation: 3385
For improved security you might want to consider jBCrypt or scrypt. Spring Security 3.1 supports BCrypt out of the box.
Further universally valid information can be found in the post Secure hash and salt for PHP passwords.
Upvotes: 4
Related Questions
- hashing + salt for java web application
- Java Spring hash AND validate passwords
- Hashing and Salting Passwords with Spring Security 3
- Spring Security - password hashing
- Implementing hash and salt in Spring 3 security
- Salting a password with spring 3 security
- Spring security password hash + salt
- Spring Security 3 SHA-1 with Salt
- Hashing password using salt
- Password Hash method in Java