Feeds:
Posts
Comments

Posts Tagged ‘password’

Most of the software applications developed require their users to go through the authentication process by feeding in their username and password.  Every product owner should ask these questions

  • How secure are these passwords?
  • Is your application storing these passwords in plain text format or are they encrypted?
  • What sort of encryption algorithm is being used?

It is really important to get answers to these questions in order to protect the interest of your users and gain their confidence. Most of the time you find people using the same username and passwords for various different sites on the internet.

If password is stored in a plain text format anybody who has access to your application database will not only get access to your application but potentially to other applications, email boxes, etc for the user.

If passwords are encrypted using an algorithm which can be encoded as well as decoded, its still not safe. People with the knowledge of this algorithm can still break into the system and decode all passwords.

So what should be done?

To secure your application and make it almost fool proof, it is suggested that passwords should be encrypted using a one way hash functions.

A one-way hash (also known as: message digest or fingerprint or compression) function.  A hash function is an algorithm that takes a variable-length string and returns a fixed-length hashed value as the output. “One-way” because these algorithms make sure that this process irreversible and extracting the input string should be extremely hard, if not impossible.

The Secure Hash Algorithm is one amongst number of cryptographic hash functions published by the National Institute of Standards and Technology as a U.S. Federal Information Processing Standard.

SHA-2 defines two main hash functions SHA-256 (uses 32-bit words) & SHA-512 (uses 64-bit words).

I have written a password encoding utility which can be plugged into any Java application to make your passwords highly secure and potentially unrecoverable.

The Java code below

1. Uses SHA-256 Hashing Algorithm

2. Adds Salt (Salt as per taste – use random string for each user and store this)

3. Makes difficult for attackers by multi-hashing

/**
 * File Name : PasswordEncoder.java
 * Created on: 1 Jul 2010
 * Created by: Ashish Shukla
 * Orange Hut Solution Limited.
 * http://www.orangehut.com
 */

package com.ohsl.util;

import org.apache.log4j.Logger;

import java.io.IOException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;

import sun.misc.BASE64Decoder;
import sun.misc.BASE64Encoder;

/**
 * @author Ashish Shukla
 *
 */
public class PasswordEncoder {
    /**
     * Logger for this class
     */
    private static final Logger log = Logger.getLogger(PasswordEncoder.class);

    private static PasswordEncoder instance;

    /**
     * Count for the number of time to hash,
     * more you hash more difficult it would be for the attacker
     */
    private final static int ITERATION_COUNT = 5;

    /**
     * Empty Constructor
     */
    private PasswordEncoder() {
    }

    /**
     * @return
     * @author Ashish Shukla
     */
    public static synchronized PasswordEncoder getInstance() {
	if (log.isDebugEnabled()) {
	    log.debug("getInstance() - start");
	}

	if (instance == null) {
	    PasswordEncoder returnPasswordEncoder = new PasswordEncoder();
	    log.info("New instance created");
	    if (log.isDebugEnabled()) {
		log.debug("getInstance() - end");
	    }
	    return returnPasswordEncoder;
	} else {
	    if (log.isDebugEnabled()) {
		log.debug("getInstance() - end");
	    }
	    return instance;
	}
    }

    /**
     *
     * @param password
     * @param saltKey
     * @return
     * @throws NoSuchAlgorithmException
     * @throws IOException
     * @author Ashish Shukla
     */
    public synchronized String encode(String password, String saltKey)
	    throws NoSuchAlgorithmException, IOException {
	if (log.isDebugEnabled()) {
	    log.debug("encode(String, String) - start");
	}

	String encodedPassword = null;
	byte[] salt = base64ToByte(saltKey);

	MessageDigest digest = MessageDigest.getInstance("SHA-256");
	digest.reset();
	digest.update(salt);

	byte[] btPass = digest.digest(password.getBytes("UTF-8"));
	for (int i = 0; i < ITERATION_COUNT; i++) {
	    digest.reset();
	    btPass = digest.digest(btPass);
	}

	encodedPassword = byteToBase64(btPass);

	if (log.isDebugEnabled()) {
	    log.debug("encode(String, String) - end");
	}
	return encodedPassword;
    }

    /**
     * @param str
     * @return byte[]
     * @throws IOException
     */
    private byte[] base64ToByte(String str) throws IOException {
	if (log.isDebugEnabled()) {
	    log.debug("base64ToByte(String) - start");
	}

	BASE64Decoder decoder = new BASE64Decoder();
	byte[] returnbyteArray = decoder.decodeBuffer(str);
	if (log.isDebugEnabled()) {
	    log.debug("base64ToByte(String) - end");
	}
	return returnbyteArray;
    }

    /**
     * @param bt
     * @return String
     * @throws IOException
     */
    private String byteToBase64(byte[] bt) {
	if (log.isDebugEnabled()) {
	    log.debug("byteToBase64(byte[]) - start");
	}

	BASE64Encoder endecoder = new BASE64Encoder();
	String returnString = endecoder.encode(bt);
	if (log.isDebugEnabled()) {
	    log.debug("byteToBase64(byte[]) - end");
	}
	return returnString;
    }

}

You are free to download this sample code from OHSL Code Library:

Visit Open Web Application Security Project for more on improving the security of application software.

Read Full Post »