Secure way of Storing User Credentials


One of the common requirements in Java web application is the secure storage of user passwords. Storing user password in plain text will pose a severe security risk and should never be considered. Passwords must be stored in such a way that there is no means of viewing the original password from the stored representation. There are number of algorithms in real world, here we are going to discuss about Encryption Algorithm & Hashing Algorithm

Encryption Algorithm

This is an encoding technique in which message is encoded by using encryption algorithm in such a way that only authorized personnel can access the message or information. It is a special type of encoding that is used for transferring private data. In encryption, data to be encrypted (called plain-text) is transformed using an encryption algorithm like AES encryption or RSA encryption using a secret key called cipher. The encrypted data is called cipher-text, and finally, the secret key can be used by the intended recipient to convert it back to plain-text.

Advantage

  • This approach is better than storing the passwords in plain text.

Disadvantage

  • If someone knows the encryption algorithm and the secret key that was used for encryption, they can de-crypt the passwords.

Hashing Algorithm

In hashing, the data is converted to the hash using some hashing function, which can be any number generated from string or text. Few hashing algorithms are: MD5 & SHA256. Data once hashed is non-reversible.

Hashing

Hashing is the practice of using an algorithm to map data of any size to a fixed length. This is called a hash value (or sometimes hash code or hash sums)

SALT

SALTED SECURE HASH ALGORITHM (SALT): Salted secured hash algorithm helps protect password hashes against dictionary attacks by introducing additional randomness. Password hash salting is when random data – a salt – is used as an additional input to a hash function that hashes a password. The goal of salting is to defend against dictionary attacks or attacks against hashed passwords using a rainbow table.

To salt a password hash, a new salt is randomly generated for each password. The salt and the password are concatenated and then processed with a cryptographic hash function. The resulting output (but not the original password) is stored with the salt in a database. Types of SALT are: Fixed SALT & Random SALT

Fixed SALT

In this technique, we have fixed bit of same string, (i.e.) if user uses same password, then the hashed password produced will be same, so conflict get arise.

Random SALT

In this technique, we have fixed bit of random string, (i.e.) if user uses same password also, the hashed password produced will be different, so there will be no conflict.

Advantage

  • In this algorithm there is no way to regenerate the password from the hash.
  • Whenever the user tries to log in, we will generate the hash for the password using the same hashing algorithm and then compare it with the hash stored in the database to check whether the password is correct or not.

Disadvantage

  • The main disadvantage of this algorithm is that it is not possible to recover a password; you can only reset your password.

Types of Hashing Algorithm with SALT

Type – 1: Hashing Algorithm with Fixed SALT

In both the examples, the password plus salt key will be stored in DB

Ex – 1    
Password SALT Hashed Password
Test “my-salt-text” 0e027d4dbc1bf55d733c5730cdb6799fb8f9e88a
Ex – 2    
Password SALT Hashed Password
Test “my-salt-text” 0e027d4dbc1bf55d733c5730cdb6799fb8f9e88a

In this case where user is giving same password once again “Test”, therefore hashed password produced will be the same hash password” 0e027d4dbc1bf55d733c5730cdb6799fb8f9e88a”.

Type – 2: Hashing Algorithm with Random SALT

In both the examples, the password plus salt key will be stored in DB

Ex – 1    
Password SALT Hashed Password
Test “[B@3d747c7c” 0e027d4dbc1bf55d733c5730cdb6799fb8f9e89b
Ex – 2    
Password SALT Hashed Password
Test “[B@5d747c77” 5cd2d52fa4c343d35d003d122e165afe7ab640a0

In this case where we are using random SALT, so using of same password will not be conflicting with each other.

Leave a Comment

Your email address will not be published. Required fields are marked *