spring mvc - How do I store a salt in mysql database for secure password encryption? -


i'm using shiro spring mvc login users. configure shiro in applicationcontext.xml (no ini file).

this realm configuration:

  <bean id="myrealm" class="org.apache.shiro.realm.jdbc.jdbcrealm">     <property name="datasource" ref="datasource"/>     <property name="authenticationquery" value="select password usuarios email = ?"/>     <property name="credentialsmatcher">         <bean class="org.apache.shiro.authc.credential.hashedcredentialsmatcher">               <property name="storedcredentialshexencoded" value="false"/>               <property name="hashiterations" value="1024" />         </bean>     </property>   </bean>

this code generating salt , hash when user registers:

randomnumbergenerator rng = new securerandomnumbergenerator(); object salt = rng.nextbytes();  string hashedpasswordbase64 = new sha256hash(password, salt, 1024).tobase64();  u.setpassword(hashedpasswordbase64); u.setsalt(salt.tostring());  usuariodao.saveusuario(u);

here saveusuario(u) calls dao persist user in mysql. guess salt.tostring() wrong.

the user table is:

create table usuarios (   id integer auto_increment,   nombre varchar(50), ...   password varchar(50),   salt varchar(50), ...   primary key (id) );

questions are: - type should hash field in db? hash created rng.nextbytes , of type object. - how declare field or query hashedcredentialsmatcher can authenticate properly?

first, please read thomas pornin's canonical answer how securely hash passwords.

then, note java 8 have pbkdf2-hmac-sha-512 available now pbkdf2withhmacsha512 - use instead. sha-512 in particular has 64-bit operations reduce advantage gpu based attackers have. use more iterations 1024, - see system can handle comfortably under load!

use those, or bcrypt, or scrypt. use @ least 12 byte cryptographically random salt.

do not request more 64 (binary) bytes out of pbkdf2-hmac-sha-512, more 32 (binary) bytes out of pbkdf2-hmac-sha-256, or more 20 (binary) bytes out of pbkdf2-hmac-sha-1, or actively give attackers advantage.

you can absolutely store both hash , salt in database in binary() fields, or convert them base64 or hexadecimal; that's you. binary() smallest, , requires no conversions going in or coming out.


Comments

Post a Comment

Popular posts from this blog

javascript - jQuery: Add class depending on URL in the best way -

i have html progress meter: <div class="col-md-3" style="margin-left: -20px;"> <div class="progress-pos active" id="progess-1"> <div class="progress-pos-inner"> login </div> </div> </div> <div class="col-md-3 progress-pos-container"> <div class="progress-pos" id="progess-2"> <div class="progress-pos-inner"> scan items </div> </div> </div> <div class="col-md-3 progress-pos-container"> <div class="progress-pos" id="progess-3"> <div class="progress-pos-inner"> confirm address </div> </div> </div> <div class="col-md-3 progress-pos-container"> <div class="progress-pos" id="progess-4"> <div class="progress-pos-in...
Read more

caching - How to check if a url path exists in the service worker cache -

i need check if particular url path exists in service worker cache. example, suppose url is: /myserviceworker/service?a=110&b=70 this url exists in cache, there many of them different values of , b. now, suppose want refresh of these urls, how can that? i want know how access key values service worker cache. if know key, plan follows: var url = new url(key); if(url.pathname === "\/myserviceworker/service") refetch key but not sure how cache key , in format is. mean, string or url? cache api has match() method returns promise resolving in response object if match or undefined if no match exists. second parameter object can specify ignoresearch not take account url parameters. the ignoresearch option supported firefox ( chrome status here ). in other hand, retrieve cache entries, can use keys() method.
Read more

Redirect to a HTTPS version using .htaccess -

i need modify .htaccess file redirect urls https version without "www". http://example.com --> https://example.com http://www.example.com --> https://example.com https://www.example.com --> https://example.com this how .htaccess file looks like: rewriteengine on rewritecond %{request_filename} !-d rewritecond %{request_filename} !-f rewriterule ^(.*)$ redirect.php?id=$1&page=$2 [qsa,l] what modifications need make .htaccess in order forward https without "www"? it depends on doing current code. looks file called redirect trying display php page seo friendly url. think might confusing people. anyway, need , force https without www, need 1 more rule above. also second rule needs two capture groups in rewriterule test string because wanting 2 different values using $1 , $2 references. rewriteengine on #rediect www non www and/or http https --- combinations. rewritecond %{http_host} !^example\.com [nc,or] rewritecond %{https} !^...
Read more