Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Instant Java Password and Authentication Security

You're reading from   Instant Java Password and Authentication Security A practical, hands-on guide to securing Java application passwords with hashing techniques

Arrow left icon
Product type Paperback
Published in Nov 2013
Publisher Packt
ISBN-13 9781849697767
Length 38 pages
Edition 1st Edition
Languages
Arrow right icon
Author (1):
Arrow left icon
Fernando Mayoral Fernando Mayoral
Author Profile Icon Fernando Mayoral
Fernando Mayoral
Arrow right icon
View More author details
Toc

Table of Contents (7) Chapters Close

Instant Java Password and Authentication Security
Credits
About the Author
About the Reviewers
www.PacktPub.com
Preface
1. Instant Java Password and Authentication Security

Creating a simple hash (Simple)


This task involves a basic hashing technique to create basic MD5 hashes.

How to do it...

The following are the steps to create the initial hash (Signup):

  1. Get the password value as plain text.

  2. Get a MD5 MessageDigest instance.

  3. Put the password in the MessageDigest instance.

  4. Execute the digest method to get the hash byte array.

  5. Encode each byte to a Hexadecimal format into a String Builder.

  6. Get the built string from the StringBuilder function.

  7. The built String is a Hexadecimal representation of the MD5 Hash.

  8. The password can now be stored.

The following is a screenshot of the code that allows us to perform the steps enumerated before; I've added comments to explain which step we are fulfilling in each piece of code:

The hashed password can now be saved in the database instead of the plain text password. When the user logs in with his password, we need to create the hash again and compare it with the hash in the database. By doing this, the plain text password is never stored, so nobody knows the original password but the account owner.

How it works...

MD5 is a cryptographic hash function that produces a 128-bit hash value (32 characters in length). It's very simple and straightforward; the basic idea is to map data sets of variable length to data sets of a fixed length. In order to do this, the input message is split into chunks of 512-bit blocks; padding is added so that its length can be divided by 512. Now these blocks are processed by the MD5 algorithm that operates in a 128-bit state and the result will be a 128-bit hash value.

But this algorithm has already been implemented; you only have to use it as in the example code.

Note that two very similar messages processed by the MD5 algorithm will result, most likely, in very different hashes.

Let's wrap the previous code into a function, getHashMD5 (comments removed), as shown in the following screenshot:

Now, we can test our MD5 function by running the following code as shown in the screenshot:

After executing the preceding code, we will get the following output as shown in the screenshot:

Congratulations! You have successfully generated your first MD5 Hash. I know it's exciting doing this for the first time, however, this is just the introduction, and I want to be very clear about this: never, and I mean never, use MD5 hashes for storing passwords; they are really weak and easy to break.

There's more...

Although MD5 is a widely used hashing algorithm, it is far from being secure since MD5 generates fairly weak hashes.

  • The advantages of MD5 hashes are as follows:

    • Easy to implement

    • Very fast in execution and cost-effective in resources

  • The disadvantages of MD5 hashes are as follows:

    • MD5 hashes are not collision resistant. This means different passwords can eventually result in the same hash

    • Since it's fast in execution, it's susceptible to brute force and dictionary attacks

    • Rainbow tables with words and generated hashes allow very quick searches for a known hash and also get the original word quickly

Even so, MD5 is useful to check Big Data consistency and it's better than plain text, but it's not a good option to keep really sensitive data (such as passwords) safe.

Password recovery

When we store a hashed password, it's virtually impossible to get the original value, or at least that's the idea. This is because a hash has only one way; unlike encryption, which has two ways (encrypt and decrypt), there is no "de-hash".

So, when a user forgets his password, we can't send him the original password to his e-mail account; instead, we can recover the password in the following two ways:

  • Generate a new random password and send it to the user via e-mail, cell phone, and so on. It would be ideal if the system forces the user to change the password after resetting it.

  • Generate a link with a code, which allows him to reset his password, and send that link to his e-mail. It's a good idea to make that code expire after a given time frame.

lock icon The rest of the chapter is locked
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image