开发者

Hashed and Salted Password is not always the same

I am using Apache Shiro as my security layer in my Spring app and I am encountering a really weird situation.

Firstly, this is how my security system is set up. When a user registers their password is hashed with a securely generated random salt. The salt and hashed password are then stored in my DB. Everything works 100% when they register and login works great too, but then a couple of days go by and suddenly their hashed passwords aren't matching any longer. Here is my code:

import org.apache.shiro.codec.Base64;
import org.apache.shiro.crypto.hash.Sha256Hash;

public static void main开发者_StackOverflow(String[] args) {
        String plainPassword = "testing";
        String salt = "8AFTpriREtydSg39+37rQHNRyvZLuXqyXYgWXI55f1PbhbUQSeFGCLKsHpA6thZKs3uQeNNJHksqcV5oaNcr9lQiXMMyC8Duqr2aQaqyjLKpNMVlB69jJ7emNq0K6ccfBdv/O4JGT2U689LeNg6CqN+9kqW2GBgT2CIVOlapA34=";

        System.out.println(new Sha256Hash(plainPassword.toCharArray(), Base64.decode(salt), 1024).toBase64());
}

The resulting hashed password is:

b8VLt/eKV8F5kwDjRgdkM+PAvQC8sk7Ooflt91juaXA= 

But the password I have in my database, which was working and was generated with the exact same salt a couple of days ago was:

xZNBNlUa8vRQq0qY5bbkETzZtzztGRTH2KZKijQdilU=

So as you can imagine, I am completely stumped. Does anyone know if I am doing something wrong? Or if I have left a step out.

Update 1: After registering a new user in my system, it looks like all the other users in the system have their passwords changed for some reason. So this has nothing to do with the way the password hash is generated and more to do with my database access layer.


It seems your problem is unrelated to hashing and salting. You are sending improper queries that update unwanted records.

But I'll throw in an advice about salting - use a different salt for every user. Otherwise your passwords are not as secure. Imagine what happens if someone obtains the salt and your database. In a while (could be weeks, but it's not that much) he will be able to generate a rainbow table and have most of your passwords. While if you use a different salt, he will have to generate as many rainbow tables as the number of your users.


It turns out I had some dodgy code somewhere else that was updating my user object and overwriting their password with a new password. So the password hashing algorithms were working correctly after all.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜