Home.... | log in.... | Pub my question! | Sign-up....
Java-index >> Security >> Cryptography

Is SHA-1 example shown on this web site better than UNIX crypt()

Hi,

For a project I am working on I have to store passwords in a database. I want to store this passwords encrypted and my first thought was to write/use an emulation of the UNIX() crypt function e.g. UnixCrypt. However I am concerned that UNIX passwords are easy to brute force unless you have a very strict password policy....

However I saw an example on this website in response to a similar question and it was suggested they use SHA-1 to generate a one-way hash and Base64 to encode the result before storing in the database. If I force people to choose passwords longer than the traditional 8 chars allowed by UNIX and use SHA-1 to generate the hash will it be harder to discover the passwords using brute force that it is for the standard UNIX passwords ?

regards,

Jeff.

[822 byte] By [bannister.j] at [2007-9-26 7:39:57]
«« Rollover in JButtons
»» HELP ME PLEASE I'M GOING CRAZY!!!!!!!!!!!!!!
# 1

Only if the passwords chosen are secure. If someone chooses the word 'password', it won't matter which hashing algorithm is used (and Base64 is an encoding scheme, which doesn't add any security). Regardless of how passwords are encrypted, they should always be protected as if they are plaintext. A very strict password policy, along with regular attempts to crack your own password databases would also be wise.

More simply, SHA-1 is considered to be a far more secure hashing algorithm than crypt(), and because Java has built in support for SHA-1 via the java.security.MessageDigest class you'll also save yourself some work.

Good luck,

-Derek

slagdogg at 2007-7-1 17:44:03 > top of Java-index,Security,Cryptography...
Security
Cryptography

Security New Topic

Security Hot Topic

Security

All Classified