On Feb 2, 2014, at 1:23 AM, Gabriel E. Sánchez Martínez wrote: > Hi developers, > > I am very new to Tomcat but am already getting my feet wet with a web > application. A requirement for this application is form-based password > authentication, and I would like to store passwords in a database using > salted SHA-512 digests
I can't speak to most of this email, but don't do this. SHA-x is a *fast* hashing algorithm. It's not designed for passwords. The problem with fast hashing algorithms is that they are *very* susceptible to rainbow table attacks. Modern password-hacking systems with 24 GPUs can calculate billions of MD5 and SHA-x hash attacks per second. I strongly recommend you use a *slow* hashing algorithm such as bcrypt, which is designed specifically for hashing passwords. These algorithms use more than just CPU/GPU operations (such as memory). Password hacking systems can only calculate thousands of these per second instead of millions. It's much better protection in case your password database is ever stolen. > , recognizing that this is not state-of-the-art password protection, but it > is a more secure method than unsalted digests in the event that the password > table is compromised. > > <snip /> Nick --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
