Passwords and hash values

exercise No. 50

Q:

In exercise the section called “A user authentication strategy we discarded the idea of clear text passwords in favour of password hashes. In order to avoid Rainbow cracking so called salted hashes are superior. You should read https://www.heckrothindustries.co.uk/articles/an-introduction-to-password-hashes for overview purposes. The article contains further references on the bottom of the page.

With respect to an implementation http://stackoverflow.com/questions/2860943/suggestions-for-library-to-hash-passwords-in-java provides a simple example for:

  • Creating a salted hash from a given password string.

  • Hash verification with respect towards a given clear text password.

You may as well use http://crackstation.net/hashing-security.htm#javasourcecode as a starting point. This example works standalone without needing an external library. Note: This example produces different (incompatible) hash values.

Create a simple unit test checking hash creation and checking against a random password value.

Tip

The previously mentioned implementation uses encodeBase64String to be imported by:

<dependency>
  <groupId>commons-codec</groupId>
  <artifactId>commons-codec</artifactId>
  <version>1.10</version>
</dependency>

A:

Starting from Salted Password Hashing - Doing it Right and http://stackoverflow.com/questions/2860943/suggestions-for-library-to-hash-passwords-in-java we create a slightly modified class HashProvider:

This solution does contain a unit test class TestDecrypt which also illustrates the intended use.