Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Storing Passwords Securely With Bcrypt and Java

DZone's Guide to

Storing Passwords Securely With Bcrypt and Java

In this post, we go over how to use this password hashing function to ensure your passwords are properly encrypted and GDPR complaint.

· Security Zone ·
Free Resource

Mobile is increasingly becoming a part of every consumers’ identity, but the increasing use of this digital channel is escalating the security risks faced by consumers and institutions.

Storing passwords are not something easy to come up with when we need to satisfy all the data protection laws, and it is getting even tougher with the rise of the GDPR, the new European regulation in data privacy. Therefore, we have to make sure all our sensitive data is encrypted and, to do that, we can use hashing algorithms.

When we want to hash passwords to store them in a database, Bcrypt is the way to go. There are many libraries for different languages, but this time I will show you how you can do it with the one included in Spring Security.

<dependency>      
<groupId>org.springframework.security</groupId>
    <artifactId>spring-security-crypto</artifactId>
</dependency>

The code is available on Github.

JBcrypt hashes passwords using a version of Bruce Schneier's Blowfish block cipher with modifications designed to raise the cost of off-line password cracking. The computation cost of the algorithm is parameterized, so it can be increased as computers get faster.

How to Use

Hash password:

BCrypt.hashpw(plainTextPassword, BCrypt.gensalt())

Where plainTextPassword is the password we want to hash and BCrypt.gensalt() is a salt to autogenerate every time.

In case we want to increment the complexity, an optional parameter (log_rounds) needs to be provided to BCrypt.gensalt(), which determines the computational complexity of the hashing. log_rounds is exponential (2**log_rounds) and says how many times to run the internal hash function. The default value is 10, and the valid values are between 4 and 31.

The output strings after running hashpw() will look like:

$bcrypt_id$log_rounds$128_bits_salt184_bits_hash

hashpw() is smart enough to extract the salt from the string, so you do not need to worry about the salt value anymore, only the hashed string.

Check hash password: 

BCrypt.checkpw(unencryptedPassword, hashPassword)

This method checks that an unencrypted password matches the one that was previously hashed and ensures that it is stored somewhere.

Conclusion

Bcrypt is 10,000 times slower than sha1 to run. If we have a machine that's able to run it in 100ms, this is probably fast enough for login, but it might be too slow if we want to execute Bcrypt against a long list of passwords. In consequence, if a hacker wants to run Bcrypt a billion times by using the same computational power, it will take 27,777 hours.

Explore the authentication advancements that are designed to secure accounts and payments—without overburdening consumers with a friction-laden experience.

Topics:
security ,password security ,java security ,security compliance ,hashing

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}