...
A good practice is to always use a salt in addition to the password being hashed. A salt is a unique randomly generated piece of data that is stored and used to generate the hash value along with the password. along with the hash value. Each Each password should have its own salt associated with it. If a single salt were used for more than one password an attacker could determine when a user has a commonly used password. Password specific salts are usually stored along with their corresponding hash values. System specific -unique salts that are stored separately from the hash values may also be used to increase the difficulty of deriving passwords if a malicious actor obtains a copy of the hash values and salts.
...
| Code Block | ||
|---|---|---|
| ||
public final class Password {
private void setPassword(byte[] pass) throws Exception {
// Arbitrary encryption scheme
byte[] encrypted = encrypt(pass);
clearArray(pass);
// Encrypted password to password.bin
saveBytes(encrypted,"password.bin");
clearArray(encrypted);
}
boolean checkPassword(byte[] pass) throws Exception {
// Load the encrypted password
byte[] encrypted = loadBytes("password.bin");
byte[] decrypted = decrypt(encrypted);
clearArray(encrypted);
boolean arraysEqual = Arrays.equal(decrypted, pass);
clearArray(decrypted);
clearArray(pass);
return arraysEqual;
}
private void clearArray(byte[] a) {
for (int i = 0; i < a.length; i++) {
a[i] = 0;
}
}
private byte[] encrypt(byte[] clearValue) {
// ... symmetric encryption of clearValue bytes, returning the encrypted value
}
private byte[] decrypt(byte[] encryptedValue) {
// ... symmetric decryption of encryptedValue bytes, returning clear value
}
private void saveBytes(byte[] bytes, String filename) throws IOException {
// ... write bytes to the file
}
private byte[] loadBytes(String filename) throws IOException {
// ... read bytes to the file
}
}
|
...
| Code Block | ||
|---|---|---|
| ||
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
public final class Password {
private SecureRandom random = new SecureRandom();
private void setPassword(String pass) throws Exception {
byte[] salt = new byte[12];
random.nextBytes(salt);
MessageDigest msgDigest = MessageDigest.getInstance("SHA-256");
// Encode the string and salt
byte[] hashVal = msgDigest.digest((pass+salt).getBytes());
saveBytes(salt, "salt.bin");
// Save the hash value to password.bin
saveBytes(hashVal,"password.bin");
}
boolean checkPassword(String pass) throws Exception {
byte[] salt = loadBytes("salt.bin");
MessageDigest msgDigest = MessageDigest.getInstance("SHA-256");
// Encode the string and salt
byte[] hashVal1 = msgDigest.digest((pass+salt).getBytes());
// Load the hash value stored in password.bin
byte[] hashVal2 = loadBytes("password.bin");
return Arrays.equals(hashVal1, hashVal2);
}
private void saveBytes(byte[] bytes, String filename) throws IOException {
// ... write bytes to the file
}
private byte[] loadBytes(String filename) throws IOException {
// ... read bytes to the file
}
}
|
...