2

Possible Duplicate:
Which password hashing method should I use?

I want the best cryptography algorithm for storing passwords in database, which one should I use and how can I implement using java code and please suggest available APIs for the same algorithm also.

Bhavik Ambani
  • 321
  • 4
  • 12
  • I'm low-rep here, so I cannot vote to close directly, but this question has been asked before, fx in http://security.stackexchange.com/questions/5605/which-password-hashing-method-should-i-use –  Jan 22 '12 at 10:01
  • @JesperMortensen FYI: You can flag the question for moderator attention. There should then be an option for "it does not belong here", under which you can mark it as an exact duplicate. It won't take effect as an actual vote to close, but it will call a moderator's attention to the issue. Then (as Rory has done here) they can come in and apply the diamond-plated hammer if they deem it appropriate. – Iszi Jan 23 '12 at 15:56

1 Answers1

3

IMHO the best password storage function is scrypt. This algorithm became my favorite key derivation function after reading Stronger Key Derivation via Sequential Memory-Hard Functions. Scrypt can use an arbitrary amount of memory or cpu time. This feature makes scrypt very difficult to crack using an FPGA or GPU. It should also be noted that ChromeOS uses scrypt in an interesting design.

A java implantation can be found here.

rook
  • 47,004
  • 10
  • 94
  • 182
  • "IMHO" is exactly why I just voted to close this question. It's subjective, and also time-localized. Not a good fit for SE format. – Iszi Jan 22 '12 at 09:38
  • Yes the answer is subjective, however I found the references very good, credible and informative. I thank @Rook for the response. – Eureka Ikara Jan 22 '12 at 09:55
  • @Iszi I agree that this should be closed out of a dupe. But if we where to close every question for being subjective we would make very little progress. – rook Jan 22 '12 at 17:17
  • @Rook, I was wondering what your take is on adding [a 'pepper' value in addition to a salt](http://security.stackexchange.com/questions/3272/) for password hashing (independent of algorithm choice). Mainly because you approach the subject from the real-life point of view, rather than the academical side. – Jacco Jul 19 '12 at 09:13
  • @Jacco, a pepper is a very good idea and it makes password cracking much more difficult. – rook Jul 19 '12 at 09:15
  • @Rook, could you write an answer to the linked question, right now there is no good answer on this view. – Jacco Jul 19 '12 at 09:21