Tagged: security

Java: Using bcrypt to salt passwords

If you’re storing passwords, don’t simply hash them, use bcrpyt.

Bcrypt was designed salt passwords in a way which makes it incredibly resource and time expensive to crack. See http://en.wikipedia.org/wiki/Bcrypt

jBcrypt is the Java implementation. Salt a password like so:

    String password = BCrypt.hashpw("password", BCrypt.gensalt(12));

The number in the gen salt method specifies the number of rounds of hashing to apply.

The resulting salt is encoded in the password.

The check if a candidate string is the same as the hashed string, you can do the following

    BCrypt.checkpw(candidate, hashedValue);
java security bcrypt

Page 1 of 1