Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

how much is it worth of hashing of passwords in java for security?

I am developing a web application in Java and I want to make the authentication process secure
by using hashed passwords.

In hashing
step-1 : we take the password given by the user and add a salt to it.
step-2 : hash it using MessageDigest and store the hashed value in database

While authenticating a user during login process we repeat both the same steps above, but instead of
storing the hashed value we compare it with the value present in database.

Now forgive my ignorance but what I want to say is if a hacker gets access to the database by any other
means, then it can provide security as the hacker cannot get the real text of password from the hashed
value so easily.

BUT how can it provide security against other forms of attacks like Bruteforce attack, Rainbow attack, dictionary attack etc. as we use the same steps to authenticate the user for login?

I don't think hashing of passwords now-a-days value that much.
Give me some suggestions..... if I am wrong.

like image 629
mukund Avatar asked May 29 '12 07:05

mukund


People also ask

How secure is password hashing?

Whereas the transmission of the password should be encrypted, the password hash doesn't need to be encrypted at rest. When properly implemented, password hashing is cryptographically secure. This implementation would involve the use of a salt to overcome the limitations of hash functions.

What is the most secure password hashing algorithm?

To the time of writing, SHA-256 is still the most secure hashing algorithm out there. It has never been reverse engineered and is used by many software organizations and institutions, including the U.S. government, to protect sensitive information.

What is password hash value?

Password hashing is defined as putting a password through a hashing algorithm (bcrypt, SHA, etc) to turn plaintext into an unintelligible series of numbers and letters. This is important for basic security hygiene because, in the event of a security breach, any compromised passwords are unintelligible to the bad actor.

Does hashing a hash make it more secure?

Yes, if done properly. Many modern password hash functions are slow because they do a fast hash calculation thousands of times. This is normally not used as a security property. Normally the number of iterations is stored along with the hash, and not kept secret.


1 Answers

Brute force is brute force. You can't do anything about it except refusing to try the authentication (or imposing a delay) after N successive failed trials. Of course, if the hacker has the hashed password, he will be able to brute force the password, but the point of a secure hashing function is to make that very very long.

Rainbow/dictionary attacks are solved by the salting. If a user chooses "password" as his password, a rainbow/dictionary attack would find the password immediately. But since you salt the password with a random value, the hashed value will be something like d7("58gd0}78sq5sQIazuAKpassword, which won't be in the rainbow table/dictionary.

like image 128
JB Nizet Avatar answered Oct 16 '22 16:10

JB Nizet