-1

I'm creating a hash from a given password in Java and storing that into a MySQL database. I've read a lot about storing a salt in the database but there are a couple reasons I've chosen not to here. There seems to be no way to completely hide a random salt specific to each user from Hacker and there's no way to hide that I have a hosted database and downloadable software. Because this software is only used in house it has at most 20 users and Hacker is far more likely to stumble upon the database port than he is the software. At least by generating the salt in the software instead of storing it in the database, he'll need to find the software to decompile and determine the salt/hash method.

Here's the mothod I'm using:

public static byte[] getHash(String password) throws NoSuchAlgorithmException {

    MessageDigest digest = MessageDigest.getInstance("SHA-256");

    byte[] passBytes = password.getBytes();

    byte[] salt = digest.digest(passBytes);     

    byte[] digestable = new byte[passBytes.length + salt.length];

    System.arraycopy(passBytes, 0, digestable, 0, passBytes.length);
    System.arraycopy(salt, 0, digestable, passBytes.length, salt.length);

    return digest.digest(digestable);
}

EDIT: Precident for putting this here

I see that I need to generate a random salt and I can store it now.

Community
  • 1
  • 1
roundar
  • 1,593
  • 1
  • 18
  • 22
  • 1
    If you have working code, http://www.codereview.stackexchange.com may be the better place to ask this question – CubeJockey Aug 14 '15 at 18:20
  • I would also recommend security.stackexchange.com for things related to security of algorithms. – childofsoong Aug 14 '15 at 18:22
  • 1
    The salt is not something that needs to be secret. See: http://security.stackexchange.com/questions/211/how-to-securely-hash-passwords – Cypher Aug 14 '15 at 18:25
  • 1
    Even better explanation: http://security.blogoverflow.com/2013/09/about-secure-password-hashing/ – Cypher Aug 14 '15 at 18:28
  • I posted here because as you can see, there are already two other places that this *might* belong and I found precident: [Precident 1](http://stackoverflow.com/questions/3331431/php-ajax-login-is-this-method-secure) [Precident 2](http://stackoverflow.com/questions/3336636/php-ajax-login-is-this-method-secure?rq=1) [Precident 3](http://stackoverflow.com/questions/3811302/is-this-a-secure-encryption-method) I found better precident that looks incredibly similar to my post (different langauge/method) with 7+ upvotes, that post was the reason I put it here. – roundar Aug 14 '15 at 18:33
  • How do you intend to ever check the password hash if you do *not* store your salt? – Durandal Aug 14 '15 at 18:39
  • @Durandal My thinking was that the salt will always be generated the same way, but can't be guessed (i.e., using the username as the salt). – roundar Aug 14 '15 at 18:41
  • @Durandal Edited because I thought seeding the SecureRandom was giving me constant results. – roundar Aug 14 '15 at 18:47
  • @roundar - A salt which is derrived from the password itself, is not a salt at all, it is just a bit more complex hash function. The purpose of the salt will be negated, because you still can build 1 rainbow-table to get all passwords at once. – martinstoeckli Aug 14 '15 at 19:14
  • Others have told you that the salt is not supposed to be a secret. If you follow the links they gave you, then you'll also know that it _is_ supposed to be _random_. – Solomon Slow Aug 14 '15 at 20:01

1 Answers1

1

No, the only acceptable password hashing methods are bcrypt, scrypt, and PBKDF2.

SHA-256 is too fast. You want a slow hashing method, like the above.

If you main security threat is SQL injection, then you should pepper the passwords. This means HMAC-ing the password with a secret known by the web server, but not the database server. See https://blog.mozilla.org/webdev/2012/06/08/lets-talk-about-password-storage.

You should also deny user/password table access to your web server, and have a very simple stored procedure api for authentication.

Neil McGuigan
  • 46,580
  • 12
  • 123
  • 152