If you are using Spring in your application, then you can also use Spring Security,which provides you with several password encoders, i.e. ShaPasswordEncoder You can find it on StackOverflow
I just use something similar to SHA-256(username + ":" + password + ":" + salt) and store it in the database in a 64-character column called passwd.
Wikipedia says, relating to salts: "Salt data complicates dictionary attacks that use pre-encryption of dictionary entries: each bit of salt used doubles the amount of storage and computation required. ... For best security, the salt value is kept secret, separate from the password database. This provides an advantage when a database is stolen, but the salt is not."
So to authenticate, get user from database with supplied username, then generate the same hash using the password provided via their login attempt, and compare to that in the database. Also add in some rate limiting for login attempts (e.g., 5 per 5 minute period). If the user forgets their password, NEVER email them the password (as you won't have it stored), nor email them a new generated password, but email them a link to change that password with a change password key/nonce/salt in the URL that you can check against.
我意识到这个答案没有提到 Spring 或 Hibernate,但我不清楚您希望如何在这种情况下利用它们。
Java has all of the required libraries already provided for you. Simply create a utility method that implements hashing with a salt as described at OWASP.
If you really don't want to own that code and don't mind an extra dependency, it seems that the Shiro library (formerly JSecurity) has an implementation of what is described by OWASP.
It also looks like the JASYPT library you mentioned has a similar utility.
I realize that this answer doesn't mention Spring or Hibernate but I'm not clear how you are hoping to utilize them in this scenario.
You can use Jasypt with Hibernate to encrypt or hash your properties on the fly if thats what you're looking for. The actual algorithm for computing digests (hashes) is pretty simple using the JCE if you want to roll your own as well.
似乎没有 Hibernate 特定的方法来使用 Jasypt 来做到这一点,但是您可以在 Spring 中设置密码加密器:
<!--
Set up string digester here so we can configure it for more pools if it's a problem...
-->
<bean id="stringDigester" class="org.jasypt.digest.PooledStringDigester">
<!-- same settings as StrongPasswordGenerator -->
<property name="poolSize" value="2"/>
<property name="algorithm" value="SHA-256"/>
<property name="iterations" value="100000"/>
<property name="saltGenerator">
<bean class="org.jasypt.salt.RandomSaltGenerator"/>
</property>
<property name="saltSizeBytes" value="16"/>
</bean>
<!-- ...and then we only have to deal with the passwordEncryptor interface in code. -->
<bean id="passwordEncryptor" class="com.myproject.util.StringPasswordEncryptor">
<property name="stringDigester" ref="stringDigester"/>
</bean>
There doesn't seem to be a Hibernate specific way to do it with Jasypt, but you can set up a password encryptor in Spring:
<!--
Set up string digester here so we can configure it for more pools if it's a problem...
-->
<bean id="stringDigester" class="org.jasypt.digest.PooledStringDigester">
<!-- same settings as StrongPasswordGenerator -->
<property name="poolSize" value="2"/>
<property name="algorithm" value="SHA-256"/>
<property name="iterations" value="100000"/>
<property name="saltGenerator">
<bean class="org.jasypt.salt.RandomSaltGenerator"/>
</property>
<property name="saltSizeBytes" value="16"/>
</bean>
<!-- ...and then we only have to deal with the passwordEncryptor interface in code. -->
<bean id="passwordEncryptor" class="com.myproject.util.StringPasswordEncryptor">
<property name="stringDigester" ref="stringDigester"/>
</bean>
After that, you call context.getBean("passwordEncryptor") to get the encryptor, and then call either encryptPassword() or checkPassword().
发布评论
评论(6)
如果您在应用程序中使用 Spring,那么您还可以使用 Spring Security,它为您提供了具有多个密码编码器,即 ShaPasswordEncoder
您可以在 StackOverflow 上找到它
If you are using Spring in your application, then you can also use Spring Security,which provides you with several password encoders, i.e. ShaPasswordEncoder
You can find it on StackOverflow
我只是使用类似于
SHA-256(用户名 + ":" + 密码 + ":" + salt)的内容,并将其存储在数据库中名为 passwd 的 64 字符列中。维基百科关于盐的说法是:“盐数据使使用字典条目预加密的字典攻击变得复杂:使用的每一位盐都会使所需的存储和计算量加倍。......为了获得最佳安全性,盐值是保密的,与密码数据库分开,这在数据库被盗时提供了优势,但盐却没有。”
因此,要进行身份验证,请使用提供的用户名从数据库获取用户,然后使用通过登录尝试提供的密码生成相同的哈希值,并与数据库中的哈希值进行比较。 还添加一些登录尝试的速率限制(例如,每 5 分钟 5 次)。 如果用户忘记了密码,切勿通过电子邮件向他们发送密码(因为您不会存储密码),也不要通过电子邮件向他们发送新生成的密码,而是通过电子邮件向他们发送一个链接,以更改密码,其中包含更改密码密钥/随机数/盐您可以检查的 URL。
I just use something similar to
SHA-256(username + ":" + password + ":" + salt)and store it in the database in a 64-character column called passwd.Wikipedia says, relating to salts: "Salt data complicates dictionary attacks that use pre-encryption of dictionary entries: each bit of salt used doubles the amount of storage and computation required. ... For best security, the salt value is kept secret, separate from the password database. This provides an advantage when a database is stolen, but the salt is not."
So to authenticate, get user from database with supplied username, then generate the same hash using the password provided via their login attempt, and compare to that in the database. Also add in some rate limiting for login attempts (e.g., 5 per 5 minute period). If the user forgets their password, NEVER email them the password (as you won't have it stored), nor email them a new generated password, but email them a link to change that password with a change password key/nonce/salt in the URL that you can check against.
Java 已经为您提供了所有必需的库。 只需创建一个使用 salt 实现哈希的实用程序方法,如 OWASP。
如果您确实不想拥有该代码并且不介意额外的依赖项,则似乎 Shiro 库(以前的 JSecurity)有一个 OWASP 所描述内容的实现。
它看起来也像你提到的 JASYPT 库有一个 类似实用程序。
我意识到这个答案没有提到 Spring 或 Hibernate,但我不清楚您希望如何在这种情况下利用它们。
Java has all of the required libraries already provided for you. Simply create a utility method that implements hashing with a salt as described at OWASP.
If you really don't want to own that code and don't mind an extra dependency, it seems that the Shiro library (formerly JSecurity) has an implementation of what is described by OWASP.
It also looks like the JASYPT library you mentioned has a similar utility.
I realize that this answer doesn't mention Spring or Hibernate but I'm not clear how you are hoping to utilize them in this scenario.
您可以使用 Jasypt 与 Hibernate 来动态加密或散列您的属性(如果您就是这样的话)寻找。 如果您也想推出自己的摘要,则使用 JCE 计算摘要(哈希)的实际算法非常简单。
You can use Jasypt with Hibernate to encrypt or hash your properties on the fly if thats what you're looking for. The actual algorithm for computing digests (hashes) is pretty simple using the JCE if you want to roll your own as well.
MD5 或 SHA-256 就可以了,尽管 MD5 现在可以破解。
也许我误解了这个问题,但它应该只是比较散列密码。
在休眠中,只需存储为字符串。 在验证方面,有一个类似的方法:
MD5 or SHA-256 would be fine, although MD5 is crackable now.
Maybe I misunderstood the problem, but it should be just comparing the hashed passwords.
In hibernate, just store as a String. On the validation side, have a method like:
似乎没有 Hibernate 特定的方法来使用 Jasypt 来做到这一点,但是您可以在 Spring 中设置密码加密器:
之后,您调用 context.getBean("passwordEncryptor") 来获取加密器,然后调用加密密码() 或检查密码()。
There doesn't seem to be a Hibernate specific way to do it with Jasypt, but you can set up a password encryptor in Spring:
After that, you call context.getBean("passwordEncryptor") to get the encryptor, and then call either encryptPassword() or checkPassword().