All geek questions in one place

How much does password hashing in Java cost for security?

I am developing a web application in Java and I want to make the authentication process secure
using hashed passwords.

In hashing, step-1: we take the password specified by the user and add salt to it.
step-2: hash using MessageDigest and store the hashed value in the database

When authenticating the user during the login process, we repeat the same steps above, but instead of saving the hashed value, we compare it with the value present in the database.

Now forgive my ignorance, but I want to say that if a hacker gains access to the database by any other
means it can provide security because a hacker cannot get real password text from a hash so easily.

BUT , how can it provide protection against other forms of attacks such as Bruteforce attack, Rainbow attack, dictionary attack , etc., since we use the same steps to authenticate the user to log in?

I don’t think password hashing is very important right now. Give me some suggestions ..... if I am wrong.

+6
source share
4 answers

Brute force is brute force. You can do nothing but refuse to authenticate (or introduce a delay) after N consecutive failed tests. Of course, if a hacker has a hashed password, he will be able to drag the password, but the secure hash point should take a very long time.

Rainbow / dictionary attacks are solved by salting. If the user selects “password” as their password, the rainbow / dictionary attack immediately finds the password. But since you salt the password with a random value, the hashed value will be something like d7("58gd0}78sq5sQIazuAKpassword , which will not be in the rainbow / dictionary table.

+4
source

Your concern is right. A hashed password does not provide any level of security, since there are many tools available (for example, here , here and here ) to get simple text based on hashing and hashing. I would suggest using JBcrypt , which has a salt property that you do not need to store in the database, and since your salt is not known to anyone, even you too, then it is very difficult to un-hash and get plain text.

Additional information about BCrypt as on Wikipedia

0
source

Salting and Hashing

The process is to make the password unreadable and it’s hard to get the original password back, which the user can use on another site, such as a credit card site.

Login Authentication

Now your use case is the usual hacker login form to log in using brute force, which does not use the tanning bed and the hashing password that you are supposed to do , as this is the application logic to prevent multiple logins using the wrong credentials.

Conclusion

This application of yours is applicable to prevent login using brute force, but not with a salting and hashing password .

0
source

you can save the application from Bruteforce attacks, Rainbow attacks, dictionary attacks by applying strong password rules, for example. the password must contain a combination of alphe numeric plus special characters such as myPassWord $ 10

-1
source

Source: https://habr.com/ru/post/916885/

More articles:


All Articles