What built-in Java hash function to use for password

Question

I'm working on a school project making a java program including a login/subscribe form.

Because it's for school I'm not supposed to include any third-party library like jBcrypt or other strong hashing function. I think about generating one salt per user with a sha256 of java.security.random but I don't know what hashing function to use for the password. I don't want to use only one iteration of a sha256/512 as it's a bit weak and I also don't want to make a for loop with 100 iteration of a sha256/512 as I guess if bcrypt and others exist it''s because iterating sha isn't enough (and also because I know it's always a bad idea to try reinventing cryptography by yourself).

So what built-in hashing function should I use to store my password ?

NB. I know that in this case (school project) the login data don't deserve a very good security (and it's also not required by my subject) but I want to do it as good as possible so please don't answer that a md5/sha512 hash would be enough for such a situation.

Answer 1

Use PBKDF2WithHmacSHA1 with as many iterations as the user is willing to wait for. I would suggest 10,000.

This is pertinent: http://en.wikipedia.org/wiki/PBKDF2#BlackBerry_vulnerability

Answer 2

I suggest that you study how to use SHA256 and 512 for passwords, with some care about salting.

See e.g. http://www.jasypt.org/howtoencryptuserpasswords.html

Section "6. Doing it in Java" describes the Java methods you could use to implement the algorithm if you do not want to use an external library.

Good luck!