Keeping user passwords safe in Java?

Question

I've come to a point when I need to pick a way how to safely keep user passwords in database and to be able to check if they match when user signs in in the website.

I'm using Spring 2.5 at the moment, but upgrading slowly to Spring 3. What would you suggest me to keep the passwords safe? I know this question has been answered in similar forms here and there, but I would like to see some exact, up-to-date answer about how to do that, which could also protect against today's password hacking techniques.

What would be the most appropriate way of hashing passwords with salt? I mean what algorithm to use better if any at all? Should I use bcrypt instead and is jBCrypt a good lib for that? Is there any better way how to protect the passwords? What about using Jasypt? What techniques do you use to store the user passwords safely?

Edit: Even though i didn't get like very interesting and detailish answers I went with bcrypt/jBCrypt as it's seems the best choose. Feel free to discuss.

Answer 1

Yes, you should use bcrypt/jBCrypt. bcrypt is specifically designed to be slow, so it would take an infeasible amount of time to crack a password.

See this blog post on extra measures that you can use on top of using bcrypt for password hashing.

Answer 2

you can hash it using md5 code:

public static String StringHashing(String s) {

    MessageDigest m = null;
    try {
        m = MessageDigest.getInstance("MD5");

    } catch (NoSuchAlgorithmException ex) {

    }
    m.update(s.getBytes(), 0, s.length());
    return (new BigInteger(1, m.digest()).toString(16));

}

Answer 3

SpringSecurity supports password encoding using hashing and salts.