I've come to a point when I need to pick a way how to safely keep user passwords in database and to be able to check if they match when user signs in in the website.
I'm using Spring 2.5 at the moment, but upgrading slowly to Spring 3. What would you suggest me to keep the passwords safe? I know this question has been answered in similar forms here and there, but I would like to see some exact, up-to-date answer about how to do that, which could also protect against today's password hacking techniques.
What would be the most appropriate way of hashing passwords with salt? I mean what algorithm to use better if any at all? Should I use bcrypt
instead and is jBCrypt
a good lib for that? Is there any better way how to protect the passwords? What about using Jasypt
? What techniques do you use to store the user passwords safely?
Edit: Even though i didn't get like very interesting and detailish answers I went with bcrypt/jBCrypt as it's seems the best choose. Feel free to discuss.
Yes, you should use bcrypt/jBCrypt. bcrypt is specifically designed to be slow, so it would take an infeasible amount of time to crack a password.
See this blog post on extra measures that you can use on top of using bcrypt for password hashing.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With