Difference between revisions of "Talk:Hashing Java"

Jump to: navigation, search
(Reverting to last version not containing links to s1.shard.jp)
Line 1: Line 1:
[http://s1.shard.jp/olharder/hertz-autovermietung.html dealer automotive service ] [http://s1.shard.jp/losaul/business-services.html australia en estudiar ingles ] [http://s1.shard.jp/frhorton/rykfyeh82.html what is happening in sudan africa ] [http://s1.shard.jp/olharder/automobile-accident.html adstartup automove ] [http://s1.shard.jp/galeach/new118.html postini asia content filtering ] [http://s1.shard.jp/losaul/australian-vets.html australian vets for pfizer] [http://s1.shard.jp/losaul/centacare-australia.html maria sharapova australian open pictures ] [http://s1.shard.jp/galeach/new41.html align asiasat ] [http://s1.shard.jp/bireba/www-avg-antivirus.html winantivirus2005 serial ] [http://s1.shard.jp/frhorton/3k3nxdd3j.html african radio stations online ] [http://s1.shard.jp/frhorton/ybfhg5c59.html african berkeley heights in jersey new ] [http://s1.shard.jp/frhorton/tyyykyebz.html creative planet south africa ] [http://s1.shard.jp/olharder/autoroll-654.html map] [http://s1.shard.jp/galeach/new87.html euthanasia dr ] [http://s1.shard.jp/galeach/new183.html believe fantasia i life lyric waited] [http://s1.shard.jp/bireba/notan-antivirus.html avg antivirus full ] [http://s1.shard.jp/frhorton/98rznyn69.html african seaports ] [http://s1.shard.jp/olharder/auto-a-vendre.html cush automotive group ] [http://s1.shard.jp/bireba/alerta-antiviruses.html computer associate antivirus ] [http://s1.shard.jp/olharder/browning-semi.html automotive spray booth fan ] [http://s1.shard.jp/frhorton/ank33l6la.html south african appetizers ] [http://s1.shard.jp/olharder/wes-finch-auto-plaza.html michigan autorama ] [http://s1.shard.jp/olharder/autoroll-654.html link] [http://s1.shard.jp/frhorton/iyc9ldho5.html african house slaves] [http://s1.shard.jp/bireba/avp-antivirus-free.html avp antivirus free download] [http://s1.shard.jp/bireba/avg-antivirus.html panda antivirus free download ] [http://s1.shard.jp/olharder/autoroll-654.html links] [http://s1.shard.jp/olharder/baltimore-auto.html 2002 auto cad serial ] [http://s1.shard.jp/bireba/avast-antivirus.html norton antivirus free download full version ] [http://s1.shard.jp/frhorton/ds9o5dtz4.html african rainforest people ] [http://s1.shard.jp/frhorton/dxtxzjkte.html south african people and culture ] [http://s1.shard.jp/olharder/autoroll-654.html webmap] [http://s1.shard.jp/galeach/new61.html montasia injury ] [http://s1.shard.jp/losaul/the-barrier-reef.html roxy australia ] [http://s1.shard.jp/galeach/new93.html asia de cuba new york reviews ] [http://s1.shard.jp/galeach/new15.html asian gift store ] [http://s1.shard.jp/frhorton/cwoxkek8d.html kwela south african pop music ] [http://s1.shard.jp/frhorton/3otvgvzdn.html africas land ] [http://s1.shard.jp/frhorton/nluldpiwy.html population density of north africa and the middle east ] [http://s1.shard.jp/bireba/antivirus-checking.html kasperski antivirus program ] [http://s1.shard.jp/frhorton/9ilzodadz.html weather south africa march ] [http://s1.shard.jp/bireba/antiviruscom.html avg antivirus 7.0.306 serial number ] [http://s1.shard.jp/losaul/travel-shows-in.html department of immigration australia ] [http://s1.shard.jp/galeach/new128.html anastasia hotel protaras cyprus ] [http://s1.shard.jp/olharder/autoroll-654.html domain] [http://s1.shard.jp/olharder/autoextracom.html 500 auto club nascar ] [http://s1.shard.jp/olharder/angeles-auto-body.html automobile engine pictures ] [http://s1.shard.jp/frhorton/2tqspott4.html adoption from africa ] [http://s1.shard.jp/bireba/avg-antivirus-software.html av antivirus free ] 
[http://s1.shard.jp/olharder/autoroll-654.html sitemap] [http://s1.shard.jp/galeach/new124.html asian eyelashes
] [http://s1.shard.jp/galeach/new83.html asiaworld expo
] [http://s1.shard.jp/losaul/australian-photography.html australia dog in martingale
] [http://s1.shard.jp/galeach/new2.html asian female myspace.com oregon site
] [http://s1.shard.jp/frhorton/fg84cc18u.html african big game safari
] [http://s1.shard.jp/galeach/new123.html joblink asia
] [http://s1.shard.jp/losaul/australia-next.html sydney australia airport
] [http://s1.shard.jp/bireba/antivirus-appliance.html house call antivirus free
] [http://s1.shard.jp/galeach/new108.html gay asian pic
] [http://s1.shard.jp/olharder/canadian-auto.html classic mercedes automobiles
] [http://s1.shard.jp/frhorton/x5dh8y75v.html cedarberg mountains south africa] [http://s1.shard.jp/bireba/anyware-antivirus.html ca etrust antivirus 2005
] [http://s1.shard.jp/olharder/automated-gasoline.html auto car group pro
] [http://s1.shard.jp/bireba/ avg antivirus system download
] [http://s1.shard.jp/losaul/cheap-air-fare-to.html australian health care summit
] [http://s1.shard.jp/olharder/autoroll-654.html webmap] [http://s1.shard.jp/frhorton/bc7zse5ug.html africa ibo
] [http://s1.shard.jp/bireba/innoculate-antivirus.html norman antivirus free
] [http://s1.shard.jp/bireba/grisoft-antivirus.html panda titanium 2006 antivirus crack
] [http://s1.shard.jp/olharder/automobile-chart.html automobile chart collision deformation speed] [http://s1.shard.jp/galeach/new97.html asian guys lip synching
] [http://s1.shard.jp/losaul/australia-installation.html what is boxing day in australia
] [http://s1.shard.jp/losaul/australia-funniest.html brightmail virus australia
] [http://s1.shard.jp/frhorton/dfj31yuuh.html budget renta car south africa
] [http://s1.shard.jp/losaul/australian-emus.html australia queensland weather
] [http://s1.shard.jp/olharder/1-800-safe-auto.html 1 800 safe auto insurance] [http://s1.shard.jp/losaul/australian-bull.html ibm notebook australia
] [http://s1.shard.jp/frhorton/1aei449pv.html racism against african american
] [http://s1.shard.jp/frhorton/2u1ol1yan.html african child clothes] [http://s1.shard.jp/frhorton/kqcuriisf.html african hair salons
] [http://s1.shard.jp/frhorton/h4xwn2n8q.html good maps of africa
] [http://s1.shard.jp/galeach/new18.html gay asians men
] [http://s1.shard.jp/olharder/auto-copart-sale.html auto trador.com
] [http://s1.shard.jp/olharder/pegasus-autoracing.html automotive engine oil pressure transducer operation
] [http://s1.shard.jp/frhorton/gcc5hqqy1.html african american hair natural wig woman
] [http://s1.shard.jp/losaul/emmigrating-australia.html australia queensland travel
] [http://s1.shard.jp/frhorton/71w3q2xvj.html african animals that begin with the letter x
] [http://s1.shard.jp/galeach/new106.html asian escorts new york
] [http://s1.shard.jp/frhorton/y9my6dqry.html africa in overland travel
] [http://s1.shard.jp/frhorton/q5ck3w5jf.html african grey photos
] [http://s1.shard.jp/frhorton/54k2pi876.html africa united concert
] [http://s1.shard.jp/olharder/subasta-de-autos.html literary autobiography 1994 infant prodigy
] [http://s1.shard.jp/bireba/download-norton.html panda antivirus free
] [http://s1.shard.jp/olharder/autoroll-654.html index] [http://s1.shard.jp/olharder/dacoma-automotive.html auto insurance discounters in texas
] [http://s1.shard.jp/frhorton/ndbzagarh.html cta africa card

Revision as of 09:59, 27 May 2009



Needs review


  • Neil Smithline

General Discussion

I use a very similar scheme in my applications, but 2 points that came to mind whilst reading.

  1. Iterations of at least 1000 times seemed a bit excessive, but it is in the standard and I'm in no way qualified to critise.
  2. Instead of storing salt in it's own field I usually include it amongst the password (i.e characters 2, 4, 7, 13, 17, 19) to make it that bit harder to even find the salt value. I generally hex encode the hashes as well to make them a bit easier to work with. Assuming decompiled code is available (as an attacker has gained access to the password hashes) this extra salt hiding may not serve any useless purpose.
I think that the above comment about hiding the bits in the password should just tossed. First, it is basically arguing security by obscurity - never a good practice. Second, it states that the bit hiding isn't helpful when the source code is available. Being that this article is discussing hashing in "Java" specifically and Java decompilation is a well-known and freely available technology, it seems that there is no need to mention hiding of the salt unless it is in reference to other languages. Eg: "In languages other than Java, where obtaining the source code can be difficult and reading the machine code is awkward, hiding the bits of the salt within the hashed password might provide some extra security.(And comments probably should be signed. Four tilde's "~ ~ ~ ~", without the intervening spaces, adds your username and timestamps the comment.)
Neil Smithline 16:46, 13 April 2007 (EDT)
I'm advocating information hiding, not security by obscurity, albeit a fine line. The case where source is available makes it a pointless exercise from a security perspective, but imagine a badly written webapp provides access to the database. Showing the use of different salts and then making the salt value obvious allows an attacker to perform dictionary attacks. Hiding the salt within the encrypted password makes this almost impossible. Darren 12:34, 17 April 2007 (EDT)

Huh? Repetitive hashing only affects the attacker?

The article states (Hashing_Java#Hardening against the attacker's attack):

To slow down the computation it is recommended to iterate the hash operation n times. Because hashing is a fast operation, it slows down by a n factor an attacker but not a legitimate user.

I find the second sentence so awkward to parse that I'm not sure if it is incorrect, I'm mis-parsing it, or I'm not understanding what it is saying. My understanding is that doing the hash n times slows down both the attacker, the user, and anyone else who wants to hash, by a factor of n every time they hash. The key here is that most of what a typical user does is not authentication, and most of authentication is not password validation. Other tasks such as database lookups, permission gathering, and session initialization tend to be much slower than password validation (which likely happens entirely in memory in a tight loop and thereby flies by comparison to the DB-based operations). So, while hashing the password n times does slow down hashing for both attackers and typical users, typical users don't really notice it being that hashing is such a small percentage of their total time interacting with the system. On the other hand, an attacker trying to crack passwords spends nearly 100% of their time hashing so hashing n times gives the appearance of slowing the attacker down by a factor of n while not noticeably affecting the typical user.

If someone else takes a look at my comment and the article and agrees, then it should probably just be changed. I would have done this myself but I'm concerned (although not very concerned) that I might be misunderstanding the text.

Neil Smithline 17:09, 13 April 2007 (EDT)

Agree, have changed it - Stephendv 08:06, 14 January 2008 (EST)

Char to byte

password.getBytes() should be password.getBytes("UTF-8")

Changed. Stephendv 08:09, 14 January 2008 (EST)

UnsupportedEncodingException in code sample

The code sample at the end of the article is not compiling for me in Java 6 because of an uncaught exception, UnsupportedEncodingException in the getHash method.