Reputation: 2019
hashing + salt for java web application
I have been told to not be creating my own salt and hashing methods. Due to the ones already existing in java being far superior. After looking into it a bit, I do not quite understand the following;
- What is the difference between creating the hash, and verifying it?
- If the salt is random everytime, don't you need a token to verify passwords other than the username?
how do generate and verify hashed and salted passwords in an contemporary way for a java web application?
Upvotes: 2
Views: 1302
Answers (1)
Reputation: 5719
Here is usual approach storing password with Hashing.
What is the difference between creating the hash, and verifying it?
- Take the plain text password, add a random salt, then store the salt and the hashed password in the database.
- When a user wanted to log in, you take their submitted password, add the random salt from their account information, hash it and see if it equates to the stored hash password with their account information.
If the salt is random every time, don't you need a token to verify passwords other than the username?
If you see #2, token may be required for session purposes, but not for Authentication(checking if user is legitimate.)
There is good questions of same subject. There are good working examples related to same that you could utilize.
Upvotes: 2
Related Questions
- Java salted password hashing
- Store and validate hashed password with salt
- Implementing hash and salt in Spring 3 security
- Spring security password hash + salt
- Hash (with Spring) and salt: is this safe?
- Secure user login using java hash and salt
- basic process for implemening password salting and hashing in a web app
- Hash in Java with or without salt
- Hashing password using salt
- Hashing and salting values