• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Devaka Cooray
  • Liutauras Vilda
  • Jeanne Boyarsky
  • Bear Bibeault
Sheriffs:
  • Paul Clapham
  • Knute Snortum
  • Rob Spoor
Saloon Keepers:
  • Tim Moores
  • Ron McLeod
  • Piet Souris
  • Stephan van Hulst
  • Carey Brown
Bartenders:
  • Tim Holloway
  • Frits Walraven
  • Ganesh Patekar

Sha512 generate different hash values when using salt

 
Ranch Hand
Posts: 1322
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I tried to save password as hash values. I used sha512 with salt. When i try to verify the password seems it generate different hash values .I am generating random salt using SecureRandom class in java.
 
Saloon Keeper
Posts: 10434
223
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Don't roll your own crypto. Use a key derivation function to generate password hashes for you, not your own hash+salt combination.

Having said that, if this is for educational purposes go right ahead, as long as it doesn't end up in production somewhere.

You are likely generating a new salt during the validation step. Don't. Use the same salt you generated when you hashed the original password. If you need more help with this, you'll have to show us your code though.
 
shawn peter
Ranch Hand
Posts: 1322
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
yes, it was issue of the salt since salt saved as a String it may changes the content. I saved the salt as a byte array and now it is ok. I have one more question . If i use pepper as another salt where it must be saved. in the code or config file ?
 
Stephan van Hulst
Saloon Keeper
Posts: 10434
223
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

sam liya wrote:If i use pepper as another salt


What do you mean "as another salt". A pepper is not a salt, and you wouldn't use it that way.

where it must be saved. in the code or config file ?


In a configuration file, so you can use a different pepper per deployment.
 
shawn peter
Ranch Hand
Posts: 1322
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
can you provide me a sample of pepper. according to below tutorial it is a another String value.  Ijust need to know how to add salt value when do hashing the password

https://happycoding.io/tutorials/java-server/secure-password-storage#peppering-passwords

I just need to know how to add salt value when do hashing the password.  Currently i  am using String password and byte array for salt.
 
Stephan van Hulst
Saloon Keeper
Posts: 10434
223
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It doesn't matter how you add it. You can add it by concatenating the strings together, or you can add it by creating a byte array and filling it with the binary data of the password, salt and pepper in succession. Remember that most crypto functions work on byte arrays, so you need to make sure that whenever you convert your strings to binary, you do it with a fixed known encoding.

Show us your code for review.
 
shawn peter
Ranch Hand
Posts: 1322
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am using below code.



mysalt value is a byte array. So i believe this approach is a fine.
 
Stephan van Hulst
Saloon Keeper
Posts: 10434
223
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
What do you do with the salt after hashing?
 
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!