Welcome to the Java Programming Forums

The professional, friendly Java community. 21,500 members and growing!

The Java Programming Forums are a community of Java programmers from all around the World. Our members have a wide range of skills and they all have one thing in common: A passion to learn and code Java. We invite beginner Java programmers right through to Java professionals to post here and share your knowledge. Become a part of the community, help others, expand your knowledge of Java and enjoy talking with like minded people. Registration is quick and best of all free. We look forward to meeting you.


Members have full access to the forums. Advertisements are removed for registered users.

Results 1 to 2 of 2

Thread: Password hashing & Salts

  1. #1
    Join Date
    Feb 2013
    Thanked 0 Times in 0 Posts

    Default Password hashing & Salts

    Hey guys! So, after a longer time than it should have taken, something clicked in my tiny little brain and I understood salts. Now, my question: are LARGE salts a bad idea? I don't see much difference between a 16 byte salt and a 1024 byte one... would it help? Would it be negative? Is there a sweet spot for salt length? Also, about peppers... (if you dont know, basically you create a 1 byte "salt" and DONT store it to your DB/datastore/whatever. When logging in, you must try all 256 different bytes. This is still fast for users logging in, but makes it take 256 times as much time to crack.) are they a bad idea? They seem like a great idea to me... and I don't mind my login process being 256 times slower. I also don't care if it takes a whole minute, which it doesn't. I do however, want my hashes to be as secure as possible. Obviously, I'm using a SecureRandom. What about using multiple hashes? i.e. Hash(Hash(Hash(pepper + salt + password)))? Is it a good idea or a bad idea? I mean, it seems like a good idea to me but i'm not a cryptographer. Also, right now I am using SHA-1. What algorithm should I use? I have heard that scrypt is the "most secure", but i'm not sure.

    Either way, what I have now is certainly more secure than just a SHA-1.
    Thanks for reading, hope you guys can clear these things up for me.

    By the way, I wasn't really sure where the best place to post this was so.. sorry if this isn't the right spot.

  2. #2
    Crazy Cat Lady KevinWorkman's Avatar
    Join Date
    Oct 2010
    Washington, DC
    My Mood
    Thanked 636 Times in 540 Posts

    Default Re: Password hashing & Salts

    Recommended reading: cryptography - Do any security experts recommend bcrypt for password storage? - Information Security Stack Exchange
    Useful links: How to Ask Questions the Smart Way | Use Code Tags | Java Tutorials
    Static Void Games - Play indie games, learn from game tutorials and source code, upload your own games!

Similar Threads

  1. log in register & change password jsp. help pls
    By absineo in forum JavaServer Pages: JSP & JSTL
    Replies: 1
    Last Post: February 1st, 2014, 04:19 AM