Talk:Hashing Java

Status
Needs review

General Discussion
I use a very similar scheme in my applications, but 2 points that came to mind whilst reading.
 * 1) Iterations of at least 1000 times seemed a bit excessive, but it is in the standard and I'm in no way qualified to critise.
 * 2) Instead of storing salt in it's own field I usually include it amongst the password (i.e characters 2, 4, 7, 13, 17, 19) to make it that bit harder to even find the salt value. I generally hex encode the hashes as well to make them a bit easier to work with.  Assuming decompiled code is available (as an attacker has gained access to the password hashes) this extra salt hiding may not serve any useless purpose.