I used sha512 with salt value. So i need to verify the generated hash value is correct ?
I am using binary array as a salt.
I am using https://www.baeldung.com/java-password-hashing as reference. below is the code. So i will save the hashed valeu and salt in DB.
I need to verify that the generated hashed value by manually . foe example i need to hash the same password using that salt value and check that i am getting same hashed value . I found below site but it does not provide place to add salt value ?
Use a key derivation function to create and verify user passwords. Writing your own salt+hash function is asking to get hacked. Heck, if you're working with a framework like Spring or Java EE, don't even use a key derivation function, but use the security middleware instead.
If this is just for practice, you will want to get an instance of SecretKeyFactory and convert an instance of PBEKeySpec to a SecretKey.
Don't use String. Move the raw password as a character array before you create a PBEKeySpec out of it. When you're done creating the SecretKey, make sure to zero out the character array and clear the PBEKeySpec.
You can store the SecretKey either by serializing it, or by calling getEncoded() to get the raw bytes. You will also want to store the IV of the PBEKeySpec you generated the secret with.
To verify a password the user entered, retrieve the SecretKey and IV from storage, and create a new SecretKey using the entered password and the stored IV. When the new secret has the same bytes as the stored secret, the password is valid.
Make sure to post your code when you're done or need help, so we can help you with possible security issues.
You just store the hashed password and the salt somewhere. When you want to validate, you hash the entered password again, except the second time you use the stored salt, not a newly generated one. If the hashes match, the password is valid.
but the i need to validate this not the pragmatically, i need to validate using user friendly way. For example i need to validate using some website which take password and salt value and generate the hashed password.
Also i stored the hashed password as a byte array. So i need to convert it to String before doing validation.
Al Hobbs wrote:Should the app use a different salt for each password or should It be generated one time and then stored in a file or what?
In crypto speak, a salt is also called an "initialization vector", or IV. Any cryptographic operation that transforms a secret message (like a password) must yield a unique value every time. If you hash a password twice, you should end up with two different and completely random looking byte strings. That's what the IV is for: it introduces a unique and random component to every password.
To be able to validate a hash, you need to hash the password with the same IV you used in the original operation. That means you must store an IV with every password hash. You can do this by appending the IV to the hash, or by storing it in a separate database cell, if you want. It doesn't really matter. Unlike the hash, IVs are not considered secret.
In addition to salting a password, some publications recommend using a pepper as well: encrypting a password with a key before hashing the result. The key is generated once per deployment and is stored in a configuration file. I strongly doubt it provides any significant security improvements over just using a proper hashing algorithm like PBKDF2 or bcrypt.
Blood pressure normal? What do I change to get "magnificent"? Maybe this tiny ad?