Win a copy of Reactive Streams in Java: Concurrency with RxJava, Reactor, and Akka Streams this week in the Reactive Progamming forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Junilu Lacar
  • Jeanne Boyarsky
  • Bear Bibeault
Sheriffs:
  • Knute Snortum
  • Tim Cooke
  • Devaka Cooray
Saloon Keepers:
  • Ron McLeod
  • Stephan van Hulst
  • Tim Moores
  • Tim Holloway
  • Carey Brown
Bartenders:
  • Piet Souris
  • Frits Walraven
  • Ganesh Patekar

Sha512 generate different hash values when using salt

 
Ranch Hand
Posts: 1325
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I tried to save password as hash values. I used sha512 with salt. When i try to verify the password seems it generate different hash values .I am generating random salt using SecureRandom class in java.
 
Saloon Keeper
Posts: 10649
227
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Don't roll your own crypto. Use a key derivation function to generate password hashes for you, not your own hash+salt combination.

Having said that, if this is for educational purposes go right ahead, as long as it doesn't end up in production somewhere.

You are likely generating a new salt during the validation step. Don't. Use the same salt you generated when you hashed the original password. If you need more help with this, you'll have to show us your code though.
 
shawn peter
Ranch Hand
Posts: 1325
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
yes, it was issue of the salt since salt saved as a String it may changes the content. I saved the salt as a byte array and now it is ok. I have one more question . If i use pepper as another salt where it must be saved. in the code or config file ?
 
Stephan van Hulst
Saloon Keeper
Posts: 10649
227
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

sam liya wrote:If i use pepper as another salt


What do you mean "as another salt". A pepper is not a salt, and you wouldn't use it that way.

where it must be saved. in the code or config file ?


In a configuration file, so you can use a different pepper per deployment.
 
shawn peter
Ranch Hand
Posts: 1325
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
can you provide me a sample of pepper. according to below tutorial it is a another String value.  Ijust need to know how to add salt value when do hashing the password

https://happycoding.io/tutorials/java-server/secure-password-storage#peppering-passwords

I just need to know how to add salt value when do hashing the password.  Currently i  am using String password and byte array for salt.
 
Stephan van Hulst
Saloon Keeper
Posts: 10649
227
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It doesn't matter how you add it. You can add it by concatenating the strings together, or you can add it by creating a byte array and filling it with the binary data of the password, salt and pepper in succession. Remember that most crypto functions work on byte arrays, so you need to make sure that whenever you convert your strings to binary, you do it with a fixed known encoding.

Show us your code for review.
 
shawn peter
Ranch Hand
Posts: 1325
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am using below code.



mysalt value is a byte array. So i believe this approach is a fine.
 
Stephan van Hulst
Saloon Keeper
Posts: 10649
227
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
What do you do with the salt after hashing?
 
Put the moon back where you found it! We need it for tides and poetry and stuff. Like this tiny ad:
Java file APIs (DOC, XLS, PDF, and many more)
https://products.aspose.com/total/java
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!