Secure way of Storing User Credentials
One of the common requirements in Java web application is the secure storage of user passwords. Storing user password in plain text will pose a severe security risk and should never be considered. Passwords must be stored in such a way that there is no means of viewing the original password from the stored representation. There are number of algorithms in real world, here we are going to discuss about Encryption Algorithm & Hashing Algorithm
Encryption Algorithm
This is an encoding technique in which message is encoded by using encryption algorithm in such a way that only authorized personnel can access the message or information. It is a special type of encoding that is used for transferring private data. In encryption, data to be encrypted (called plain-text) is transformed using an encryption algorithm like AES encryption or RSA encryption using a secret key called cipher. The encrypted data is called cipher-text, and finally, the secret key can be used by the intended recipient to convert it back to plain-text.
Advantage
Disadvantage
Hashing Algorithm
In hashing, the data is converted to the hash using some hashing function, which can be any number generated from string or text. Few hashing algorithms are: MD5 & SHA256. Data once hashed is non-reversible.
Hashing
Hashing is the practice of using an algorithm to map data of any size to a fixed length. This is called a hash value (or sometimes hash code or hash sums)
SALT
SALTED SECURE HASH ALGORITHM?(SALT): Salted secured hash algorithm helps protect password hashes against dictionary attacks by introducing additional randomness. Password hash salting is when random data – a salt – is used as an additional input to a hash function that hashes a password. The goal of salting is to defend against dictionary attacks or attacks against hashed passwords using a rainbow table.
To salt a password hash, a new salt is randomly generated for each password. The salt and the password are concatenated and then processed with a cryptographic hash function. The resulting output (but not the original password) is stored with the salt in a database. Types of SALT are: Fixed SALT & Random SALT
Fixed SALT
In this technique, we have fixed bit of same string, (i.e.) if user uses same password, then the hashed password produced will be same, so conflict get arise.
Random SALT
In this technique, we have fixed bit of random string, (i.e.) if user uses same password also, the hashed password produced will be different, so there will be no conflict.
领英推荐
Advantage
Disadvantage
Types of Hashing Algorithm with SALT
Type – 1:?Hashing Algorithm with Fixed SALT
In both the examples, the password plus salt key will be stored in DB
Ex – 1??Password SALT Hashed Password
Test“my-salt-text”0e027d4dbc1bf55d733c5730cdb6799fb8f9e88a
Ex – 2??Password SALT Hashed Password
Test“my-salt-text”0e027d4dbc1bf55d733c5730cdb6799fb8f9e88a
In this case where user is giving same password once again “Test”, therefore hashed password produced will be the same hash password” 0e027d4dbc1bf55d733c5730cdb6799fb8f9e88a”.
Type – 2:?Hashing Algorithm with Random SALT
In both the examples, the password plus salt key will be stored in DB
Ex – 1??Password SALT Hashed PasswordTest“[B@3d747c7c”0e027d4dbc1bf55d733c5730cdb6799fb8f9e89b
Ex – 2??Password SALT Hashed PasswordTest“[B@5d747c77”5cd2d52fa4c343d35d003d122e165afe7ab640a0
In this case where we are using random SALT, so using of same password will not be conflicting with each other.
Author:?Sridhar Chandrasekaran