12

I'm trying to hash some passwords with SHA2.

Where can I get a snippet of java code for make that?

I have seen that post but I have something missing: SHA2 password storage with Java

 Mac mac = Mac.getInstance("HmacSha256");
 SecretKeySpec secret = new SecretKeySpec(key.getBytes(), "HmacSha256");
 mac.init(secret);
 byte[] shaDigest = mac.doFinal(phrase.getBytes());
 String hash = "";
 for(byte b:shaDigest) {
     hash += String.format("%02x",b);
 }

The phrase is the String I want encode right? And what is the key (line 2)

Thanks in advance

Improve this question
1
  • FYI: You may read some questions about password hashing. While it is good to hash passwords, it is non-trivial to do it correctly. This question has some good answers: Suggestions for library to hash passwords in Java Commented Jul 27, 2011 at 9:19

4 Answers 4

Reset to default
25

First, you need to be clear what it is you want to do. You say you want to hash a password, but the code you are using is for a MAC (Message Authentication Code), specifically, HMAC.

Hashes and MACs are different things for different purposes (though HMAC does involve using a hash). You need to be sure you are using the right one for your requirement.

The reason you are being asked to supply a key is because MACs need a key. Hashes do not:

public byte[] hash(String password) throws NoSuchAlgorithmException {
    MessageDigest sha256 = MessageDigest.getInstance("SHA-256");        
    byte[] passBytes = password.getBytes();
    byte[] passHash = sha256.digest(passBytes);
    return passHash;
}
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

15

I modified a little rossum's code, added salt and convert returning type to String, add try/catch, maybe it will help to someone:

    public String hash(String password) {
    try {
        MessageDigest sha256 = MessageDigest.getInstance("SHA-256");
        String salt = "some_random_salt";
        String passWithSalt = password + salt;
        byte[] passBytes = passWithSalt.getBytes();
        byte[] passHash = sha256.digest(passBytes);             
        StringBuilder sb = new StringBuilder();
        for(int i=0; i< passHash.length ;i++) {
            sb.append(Integer.toString((passHash[i] & 0xff) + 0x100, 16).substring(1));         
        }
        String generatedPassword = sb.toString();
        return generatedPassword;
    } catch (NoSuchAlgorithmException e) { e.printStackTrace(); }       
    return null;
}
Improve this answer

Comments

10

you may consider using commons-codec's implementation

String hash = org.apache.commons.codec.digest.DigestUtils.sha256Hex(password +"salt");
Improve this answer

1 Comment

This is not in Java SE
1

Phrase would be the password that you're trying to protect. key is the salt, a unique (and known) string appended to your password before hashing, to defeat rainbow tables. Or it should be, at least. Your code is just taking it from the password itself, which is kind of pointless. It should be a long random string that is stored together with the password digest.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.