SHA hash does not seem to be working correctly

Question

I am trying to build a simple password authenticator where passwords that have been hashed using SHA-256 .

I found a couple calculators online (http://onlinemd5.com/) that hashed "password" to "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8"

I tried a couple other passwords with expected results.

So I tried to implement a fairly straight forward set of code (or so I thought)

String pswd="password";
String storedPswd="5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8";
//first as a byte[]

Arrays.equals(hashWord(pswd),storedPswd.getBytes("UTF-8") );
...
private byte[] hashWord(String word)     {
    try {
        return MessageDigest.getInstance("SHA-256").digest(word.getBytes("UTF-8"));
    } catch (Exception e)        {
       throw new BadCredentialsException("Could not hash supplied password", e);
    }
}

I also tried without success.

return storedPswd.toUpperCase().equals(DigestUtils.sha256Hex(password));

The Apache codec library (v1.10) and Java 1.6 gives me :

113459EB7BB31BDDEE85ADE5230D6AD5D8B2FB52879E00A84FF6AE1067A210D3

instead of

5E884898DA28047151D0E56F8DC6292773603D0D6AABBDD62A11EF721D1542D8

What am I missing ??

The Solution (wrong inputs):

updated Test Code:

String passwordSHA="5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8";
String complexSHA="8849fb9b221ddec0117e2796d16929179accf3a6012f738e1ed6c11af9cc2081";
@Test
public void testDigest() throws InterruptedException{
    System.out.println("Starting Digest test");
    String complexPassword = "a7$h1UC8";
    try {
        Assert.assertTrue(authenticateUser(complexPassword, complexSHA));
        Assert.assertTrue(authenticateUser("password", passwordSHA));           
        Assert.assertTrue( hashWord(complexPassword).equals(complexSHA) );
    } catch (Exception e) {
        Assert.fail();
    }
}
public boolean authenticateUser(String word, String stored) throws Exception {
    String apache2Pswd = hashApache(word);
    System.out.println(apache2Pswd);                
    return stored.equals(apache2Pswd);
}
private String hashApache(String pswd){
    return DigestUtils.sha256Hex(pswd);     
}
public static String hashWord(String word) throws Exception{
    byte[] digest = MessageDigest.getInstance("SHA-256").digest(word.getBytes("UTF-8"));
    StringBuilder sb = new StringBuilder();
    for (byte b : digest) {
        sb.append(String.format("%02x", b));
    }
    System.out.println(sb.toString());
    return sb.toString();
}

With Results:

Starting Digest test
8849fb9b221ddec0117e2796d16929179accf3a6012f738e1ed6c11af9cc2081
5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
8849fb9b221ddec0117e2796d16929179accf3a6012f738e1ed6c11af9cc2081

Answer 1

The hashWord method that you posted is not correct, it does not compile (is this your actual code?); it's not returning a value.

With this:

byte[] digest = MessageDigest.getInstance("SHA-256").digest("password".getBytes("UTF-8"));

for (byte b : digest) {
    System.out.printf("%02x", b);
}

I do get the expected output:

5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8

The output 113459eb7bb31bddee85ade5230d6ad5d8b2fb52879e00a84ff6ae1067a210d3 is what you get when you calculate the SHA-256 hash over the string 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8 instead of the original string password.

You are calculating the hash over the hex string containing the hash, instead of the hash of the original password.

Answer 2

An online resource that does not carefully document how it converts user input to binary before hashing is worthless for the purpose of comparing hashes.

It ultimately doesn't matter if your encoding method produces hashes compatible with anything else. What matters is that you get the same hash for the same input consistently (i.e. the hash procedure must be deterministic).