Faruk Akgul

Storing Passwords: Password Hashing

June 25, 2011 | View Comments

Another Sony hacking (hacking Sony has become a tradition) revealed approximately 1 million passwords which are stored in plain text. Storing passwords in plain text is a very stupid idea.

The least we could do is that a password needs to be hashed and salted. We could either create our own mechanism or taking advantage of libraries which support these things out of the box. For example; Apache Shiro. For those who may not be familiar with Apache Shiro; It's a Java security library which makes authentication, authorization and session management easy. What makes Apache Shiro special is its hashing mechanism also supports iterations.

Password Hashing With Apache Shiro

Apache Shiro supports MD2, MD5, SHA1, SHA256, SHA384 and SHA512 hashing. Since it also supports iterations in its hashing mechanism, we could simply do;

Sha512Hash s = new Sha512Hash("milla", "jovovich", 1024);

And Apache Shiro will create a SHA512 value for password "milla" salted with "jovovich" and iterated 1024 times (random salt and iteration would be a good approach). By default Apache Shiro iterates 1 time.

Here's a very simple example where the scenario is to store the username - password combination in an auth.ini.

Factory<SecurityManager> factory = new IniSecurityManagerFactory("/tmp/auth.ini");
SecurityManager manager = factory.getInstance();
SecurityUtils.setSecurityManager(manager);
Subject user = SecurityUtils.getSubject();

try {
    Sha512Hash s = new Sha512Hash("milla", "jovovich", 1024);
    UsernamePasswordToken token = new UsernamePasswordToken("milla", s.toString());
    System.out.println(s.toString());
    user.login(token);
} catch (IncorrectCredentialsException e) {
    // password is wrong
} catch (UnknownAccountException e) {
    // username is wrong
}
// should say "true"
System.out.println("user is authenticated " + user.isAuthenticated());
Share:Tweet

blog comments powered by Disqus