/!\ I have very little knowledge of Java!
The SHA256 was not made for password purpose, for passwords you must use PBDKF2 with SHA256. However prefer to choose Bcrypt or Argon2i, PBDKF2 is "ok" but by many is not considered the best.
The difference between Bcrypt/PBDKF2/Argon2i is that they allow to configure the difficulty, the pure SHA256 is very fast and therefore bad for this purpose. Remember that "human" passwords are usually short and limited, while PBDKF2 iterates to "take longer" increasing the cost of Joy-force.
The password should be compared in Constant-time, that is to compare the whole string and not just "die" when a character is different, if this is done it will be exposed to side-Channel attacks. Alternatively, use bitwise comparisons (XOR) across the string, so the processing time will be the same as if the first bit is different or only the last.
That said in Java you can use this implementation, that up to where I analyzed supply the above two questions, makes bitwise comparisons (via slowEquals()
) and by default has a reasonable number of iterations, which can be changed without breaking the hashes already generated. The other problem is whether the conversion to base64
is safe from cache attacks and if the random number generation source (for the salt
) is safe, this I can not analyze because I have no knowledge in Java.
Such implementation uses originally the PBDKF2 with SHA-1, but the Java8 has support for the PBKDF2WithHmacSHA256
, or is SHA256, according to this answer.
Following this implementation of PBKDF2, you use:
String hash = createHash("senha");
Then save it in the database, for example will result in sha1:64000:18:5Ybc8Ue3EBnLF5Q1eRZj5cUbnH9OGYYG:mTb6Xd35sqw1B9gAcE87vwya
, since it has the salt of 5Ybc8Ue3EBnLF5Q1eRZj5cUbnH9OGYYG and 64000 iterations.
Afterwards do:
verifyPassword("senha", "sha1:64000:18:5Ybc8Ue3EBnLF5Q1eRZj5cUbnH9OGYYG:mTb6Xd35sqw1B9gAcE87vwya")
To verify that the password saved from the database is equal to the password entered.
I would need it to be a language that I could use in groovy script which is what the platform I’m developing allows
– R.Santos
You may be useful: http://gik.firetrot.com/index.php/2013/04/17/hashing-password-in-java-and-groovy/
– Thiago de Campos
I managed with your suggestion to solve my problem. :)
– R.Santos
You could just update your answer with the explanation of what your code does on each line?
– R.Santos