Hash In Spring Boot

What Is Hashing?

• Hashing is simply passing some data through a formula that produces a result, called a hash. That hash is usually a string of characters and the hashes generated by a formula are always the same length, regardless of how much data you feed into it. For example, the MD5 formula always produces 32 character-long hashes. Moreover, each time you run the same data through the formula, you will get the exact same hash out of it and there are no ways to convert a hash back to the original data. More information.
• Hash is a path of security. It is used to ensure data integrity, this is commonly referred as checksum, or signature. In order words, if some part of data is changed, then you can know that it's changed.
• There are a huge number of widely accepted hashing algorithms available for general use. For example, MD5, SHA1, SHA224, SHA256, SHA512.

Data	HASHED DATA
minhduc	0D54D2191C796096A19C01D9D98BD4DC2706EFEABB79747B1EC506C00C481DC2

Salt In Hash

• Salt is a random data that is used as an additional input to a one-way function that hashes data, a password or passphrase, salts are used to safeguard passwords in storage.

Data	SALT	HASHED DATA
minhduc	CEAB0B1771049333E44D20A880509292E9 2781CC3D03F80AC41B73EC068E3EFF	F9799760BFC12492E91A8B70A84C3E8EE 90996ACAC6D0B6FD19448DACECAE4A4

Why Hash?

• You may have heard of hashing used in the context of passwords. Among many uses of hashing algorithms, this is one of the most well-known. When you sign up on a web app using password, rather than storing your actual password, which would not only be a violation of your privacy but also a big risk for the web app owner, the web app hashed the password and stores only the hash.
• Then, the next time you log in, the web app again hashes your password and compares this hash with the hash stored earlier. If the hashed match, the web app can be confident that you know your password even though the web app doesn't have your actual password in storage.

• Hasing is used in Password management, verify the integrity of the downloaded file.

• So why should we use hash for storing password?

  • Not reversible, no plain Password
  • If attacker can steal user database there are no way to get plain passwords.
  • Better hash with salt
  • Unique salt each user

• Why do we should not store encrypt password?

• Attacker can steal user database & Encryption secret Key
• Decrypt all user data and get plain password
• When hacker have username and password, they can re-use username & password

Examples

• Example With SHA-256 In Spring Boot
• Example With SHA-512 In Spring Boot
• Example With Pbkdf2 In Spring Boot
• Example With Bcrypt In Spring Boot

See Also

• Password Management With PasswordEncoder

References

• Dataspace.