0

After searching in Google and watching a few posts in StackOverflow ( Java hashing passwords , Hashing Password ). I try not to duplicate questions and looking for the answers by myself, but as you can appreciate, this was not the case.

I'm creating a simple library in Java to hash passwords using SHA256 algorithm.

Everytime I create a hash the password generated is different. This happens with SHA256 and MD5 algorithms.

Why is this happening? I think that passwords generated should be the same. I may be totally wrong and confused about how hashing works.

The hashing method:

CipherString.java

    public static String cipherPassword(String pwd, String salt) throws NoSuchAlgorithmException, UnsupportedEncodingException
{
    MessageDigest d = MessageDigest.getInstance("SHA-256");
    d.update(salt.getBytes("UTF-8"));
    byte[] hash = d.digest(pwd.getBytes("UTF-8"));

    StringBuilder sb = new StringBuilder();

    for(int i=0; i< hash.length ;i++)
    {
        sb.append(Integer.toString((hash[i] & 0xff) + 0x100, 16).substring(1));
    }

    String pwdCifrada = sb.toString();

    return pwdCifrada;
}

EDIT:

Old Main.java (bugged code)

String username = txtUsername.getText();
char[] password = txtPassword.getPassword();
String hashedPassword = cipherPassword(password.toString(), username);

New Main.java (fixed/solved code)

String username = txtUsername.getText();
char[] password = txtPassword.getPassword();
String hashedPassword = cipherPassword(new String(password), username);

I have deleted all the models, view and controllers which are unneeded.

Thank you all.

Improve this question
6
  • 4
    SHA means "Secure Hash Algorithm". Not "Encryption". this algorithm generates a hash-value from a given value. This process is not (or atleast nearly) impossible to reverse - on purpose. Hash-algorithms are not encryption-algorithms and should not be used in that way (and can't be used anyways). Commented Jun 5, 2015 at 15:21
  • 2
    I get 70bc98d434ad88c6e99dc513d6bcb160fd8b8a211fc74af07d7b780d6a7fdf61 when I run your program, repeatedly. Commented Jun 5, 2015 at 15:22
  • 2
    I can't reproduce either. I get the same hash every time. Commented Jun 5, 2015 at 15:23
  • @Paul - Yes, I just edited. I meant one way encryption, or hashing. Commented Jun 5, 2015 at 15:24
  • @JesusGonzalez I think Paul is referring to the fact that you are calling the hash value a password and using pwd for the variable name of the hash. It's a bit confusing. Commented Jun 5, 2015 at 15:28

1 Answer 1

Reset to default
1

I strongly recommend using a library to handle this for you.

Consider Apache Commons Codec library:

import org.apache.commons.codec.digest.DigestUtils;

public class HashTest {
    public static String cipher(String pwd, String salt) {
        return DigestUtils.sha256Hex(pwd+salt);
    }
    public static void main(String[] args) {
        String p = "password";
        String s = "randomSalt";
        String c = cipher(p, s);
        System.out.println(c);
    }
}

This will always print

a0494b0d7ef89bba60f9703e2c438465cd1241cc440a8fc20f4330639d2c9c2f

If you are using Maven to manage your dependencies you can check the latest version here: http://mvnrepository.com/artifact/commons-codec/commons-codec

Or use the current latest:

<dependency>
    <groupId>commons-codec</groupId>
    <artifactId>commons-codec</artifactId>
    <version>1.10</version>
</dependency>
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks a lot. It was by trying this library that I noticed that when I call toString() from a char[] it will print the memory location, not the actual String itself. The getPassword() method will return a char array but by calling toString() will not print the string, in any case I should have done new String(char[]). It has been several days programming and my mind was not so clear. Thank you again. I will use this library in order to hash the passwords.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.