This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Talk:Hashing Java

From OWASP
Revision as of 09:49, 7 November 2006 by Stephendv (talk | contribs)

Jump to: navigation, search

Status

Needs review

Reviewers

  •  ?

General Discussion

I use a very similar scheme in my applications, but 2 points that came to mind whilst reading.

  1. Iterations of at least 1000 times seemed a bit excessive, but it is in the standard and I'm in no way qualified to critise.
  2. Instead of storing salt in it's own field I usually include it amongst the password (i.e characters 2, 4, 7, 13, 17, 19) to make it that bit harder to even find the salt value. I generally hex encode the hashes as well to make them a bit easier to work with. Assuming decompiled code is available (as an attacker has gained access to the password hashes) this extra salt hiding may not serve any useless purpose.
Retrieved from "https://wiki.owasp.org/index.php?title=Talk:Hashing_Java&oldid=11948"