...
The value that a hash function outputs is called the hash value. Another term for hash value is message digest. Hash functions are computationally feasible functions whose inverses are computationally infeasible. This means that in practice, one can encode a password to a hash value quickly, while they are also unable to decode it. The equality of the passwords can be tested through the equality of their hash values.
Java's MessageDigest class provides the functionality of various cryptographic hash functions. Be careful not to use any defective hash functions, such as MD5.
It is also important that you append a salt to the password you are hashing. A salt is a piece of data that is randomly generated during the creation of the program (and consistent throughout the rest of its implementation). The use of a salt helps prevents dictionary attacks against the hash value, provided the salt is long enough.
Noncompliant Code Example
| Code Block |
|---|
class Password { public static void main(String[] args) throws IOException { char[] password = new char[100]; BufferedReader br = new BufferedReader(new InputStreamReader( new FileInputStream("credentials.txt"))); // Reads the password into the char array, returns the number of bytes read int n = br.read(password); // Decrypt password, perform operations for(int i = n - 1; i >= 0; i--) { // Manually clear out the password immediately after use password[i] = 0; } br.close(); } } |