tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Williams <>
Subject Re: support for salted passwords
Date Sun, 02 Feb 2014 07:51:44 GMT

On Feb 2, 2014, at 1:23 AM, Gabriel E. Sánchez Martínez wrote:

> Hi developers,
> I am very new to Tomcat but am already getting my feet wet with a web application.  A
requirement for this application is form-based password authentication, and I would like to
store passwords in a database using salted SHA-512 digests

I can't speak to most of this email, but don't do this. SHA-x is a *fast* hashing algorithm.
It's not designed for passwords. The problem with fast hashing algorithms is that they are
*very* susceptible to rainbow table attacks. Modern password-hacking systems with 24 GPUs
can calculate billions of MD5 and SHA-x hash attacks per second.

I strongly recommend you use a *slow* hashing algorithm such as bcrypt, which is designed
specifically for hashing passwords. These algorithms use more than just CPU/GPU operations
(such as memory). Password hacking systems can only calculate thousands of these per second
instead of millions. It's much better protection in case your password database is ever stolen.

> , recognizing that this is not state-of-the-art password protection, but it is a more
secure method than unsalted digests in the event that the password table is compromised.
> <snip />


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message