For security reasons, you would not want to store your passwords in raw format to your database. You would probably want to store it in an encoded form. At the same time, you would not want a malicious users to decode the password that you have encoded and stored, which would be another security flaw.
So, how do you then store the password, at the same time be able to test programmatically that the passwords match during login?
There are multiple ways of doing it. But in this article, I will talk about storing the password hashed with a random string called “salt”. That makes each encoding unique. So even if someone got hold of salt for one password, they can’t decode all the other passwords encoded with different salt.
Here is a simple Password Hasher that I wrote that utilizes the algorithm PBKDF2WithHmacSHA512. What does that mean? Let’s break it down.
- PBKDF2 is “Password-Based-Key-Derivative-Function” version 2
- HMAC is Keyed “Hash Message Authentication Code”
- SHA512 is Secure Hash Algorithm
As you can see, it uses multiple algorithms for password encoding and hashing.
The algorithm can take multiple parameters.
PBEKeySpec pbeKeySpec = new PBEKeySpec(password.toCharArray(), salt, 10, 512);<br>
- The text password itself
- Salt – a random string
- Iteration Count
- Key Length
Here is source code for Password Hasher.
Here is a unit test to test the same:[My Video Promotion]