One of the common requirements in Java web application is the secure storage of user passwords. Storing user password in plain text will pose a severe security risk and should never be considered. Passwords must be stored in such a way that there is no means of viewing the original password from the stored representation. There are number of algorithms in real world, here we are going to discuss about Encryption Algorithm & Hashing Algorithm
Encryption Algorithm
This is an encoding technique in which message is encoded by using encryption algorithm in such a way that only authorized personnel can access the message or information. It is a special type of encoding that is used for transferring private data. In encryption, data to be encrypted (called plain-text) is transformed using an encryption algorithm like AES encryption or RSA encryption using a secret key called cipher. The encrypted data is called cipher-text, and finally, the secret key can be used by the intended recipient to convert it back to plain-text.
Advantage
- This approach is better than storing the passwords in plain text.
Disadvantage
- If someone knows the encryption algorithm and the secret key that was used for encryption, they can de-crypt the passwords.
Hashing Algorithm
In hashing, the data is converted to the hash using some hashing function, which can be any number generated from string or text. Few hashing algorithms are: MD5 & SHA256. Data once hashed is non-reversible.
Hashing
Hashing is the practice of using an algorithm to map data of any size to a fixed length. This is called a hash value (or sometimes hash code or hash sums)
SALT
SALTED SECURE HASH ALGORITHM (SALT): Salted secured hash algorithm helps protect password hashes against dictionary attacks by introducing additional randomness. Password hash salting is when random data – a salt – is used as an additional input to a hash function that hashes a password. The goal of salting is to defend against dictionary attacks or attacks against hashed passwords using a rainbow table.
To salt a password hash, a new salt is randomly generated for each password. The salt and the password are concatenated and then processed with a cryptographic hash function. The resulting output (but not the original password) is stored with the salt in a database. Types of SALT are: Fixed SALT & Random SALT
Fixed SALT
In this technique, we have fixed bit of same string, (i.e.) if user uses same password, then the hashed password produced will be same, so conflict get arise.
Random SALT
In this technique, we have fixed bit of random string, (i.e.) if user uses same password also, the hashed password produced will be different, so there will be no conflict.
Advantage
- In this algorithm there is no way to regenerate the password from the hash.
- Whenever the user tries to log in, we will generate the hash for the password using the same hashing algorithm and then compare it with the hash stored in the database to check whether the password is correct or not.
Disadvantage
- The main disadvantage of this algorithm is that it is not possible to recover a password; you can only reset your password.
Types of Hashing Algorithm with SALT
Type – 1: Hashing Algorithm with Fixed SALT
In both the examples, the password plus salt key will be stored in DB
| Ex – 1 | ||
| Password | SALT | Hashed Password |
| Test | “my-salt-text” | 0e027d4dbc1bf55d733c5730cdb6799fb8f9e88a |
| Ex – 2 | ||
| Password | SALT | Hashed Password |
| Test | “my-salt-text” | 0e027d4dbc1bf55d733c5730cdb6799fb8f9e88a |
In this case where user is giving same password once again “Test”, therefore hashed password produced will be the same hash password” 0e027d4dbc1bf55d733c5730cdb6799fb8f9e88a”.
Type – 2: Hashing Algorithm with Random SALT
In both the examples, the password plus salt key will be stored in DB
| Ex – 1 | ||
| Password | SALT | Hashed Password |
| Test | “[B@3d747c7c” | 0e027d4dbc1bf55d733c5730cdb6799fb8f9e89b |
| Ex – 2 | ||
| Password | SALT | Hashed Password |
| Test | “[B@5d747c77” | 5cd2d52fa4c343d35d003d122e165afe7ab640a0 |
In this case where we are using random SALT, so using of same password will not be conflicting with each other.
