CODEWITHSUNDEEP
javahashpassword-protectionsha
Encripterrr
Encripterrr

Reputation: 333

SHA2 password hashing in java

I'm trying to hash some passwords with SHA2.

Where can I get a snippet of java code for make that?

I have seen that post but I have something missing: SHA2 password storage with Java

 Mac mac = Mac.getInstance("HmacSha256");
 SecretKeySpec secret = new SecretKeySpec(key.getBytes(), "HmacSha256");
 mac.init(secret);
 byte[] shaDigest = mac.doFinal(phrase.getBytes());
 String hash = "";
 for(byte b:shaDigest) {
     hash += String.format("%02x",b);
 }

The phrase is the String I want encode right? And what is the key (line 2)

Thanks in advance

Upvotes: 12

Views: 41736

Answers (4)

thorin86
thorin86

Reputation: 633

I modified a little rossum's code, added salt and convert returning type to String, add try/catch, maybe it will help to someone:

    public String hash(String password) {
    try {
        MessageDigest sha256 = MessageDigest.getInstance("SHA-256");
        String salt = "some_random_salt";
        String passWithSalt = password + salt;
        byte[] passBytes = passWithSalt.getBytes();
        byte[] passHash = sha256.digest(passBytes);             
        StringBuilder sb = new StringBuilder();
        for(int i=0; i< passHash.length ;i++) {
            sb.append(Integer.toString((passHash[i] & 0xff) + 0x100, 16).substring(1));         
        }
        String generatedPassword = sb.toString();
        return generatedPassword;
    } catch (NoSuchAlgorithmException e) { e.printStackTrace(); }       
    return null;
}

Upvotes: 15

rossum
rossum

Reputation: 15685

First, you need to be clear what it is you want to do. You say you want to hash a password, but the code you are using is for a MAC (Message Authentication Code), specifically, HMAC.

Hashes and MACs are different things for different purposes (though HMAC does involve using a hash). You need to be sure you are using the right one for your requirement.

The reason you are being asked to supply a key is because MACs need a key. Hashes do not:

public byte[] hash(String password) throws NoSuchAlgorithmException {
    MessageDigest sha256 = MessageDigest.getInstance("SHA-256");        
    byte[] passBytes = password.getBytes();
    byte[] passHash = sha256.digest(passBytes);
    return passHash;
}

Upvotes: 25

Dapeng
Dapeng

Reputation: 1716

you may consider using commons-codec's implementation

String hash = org.apache.commons.codec.digest.DigestUtils.sha256Hex(password +"salt");

Upvotes: 10

user684934
user684934

Reputation:

Phrase would be the password that you're trying to protect. key is the salt, a unique (and known) string appended to your password before hashing, to defeat rainbow tables. Or it should be, at least. Your code is just taking it from the password itself, which is kind of pointless. It should be a long random string that is stored together with the password digest.

Upvotes: 1

Related Questions