Hash (with Spring) and salt: is this safe?

I've a Spring based web app, so I came up using spring-security-3.0.8 (I know, that's not a good reason, lol) and I find out the PasswordEncoder class. In my case I'm using the Md5PasswordEncoder, but I'm not sure if could be the best implementation.

http://static.springsource.org/spring-security/site/docs/3.0.x/apidocs/org/springframework/security/authentication/encoding/PasswordEncoder.html

The salt is generated by a SecureRandom.

The whole code is something like this:

String salt = new BigInteger(130, random).toString(32);
user.setSalt(salt);
user.setPassword(passwordEncoder.encodePassword(user.getPassword(), salt));
db.save(user);

I don't really need big security but it's just for knowledge's sake. :)

(what about making the salt big as the hash putting the bit to 160?)

Answers


For improved security you might want to consider jBCrypt or scrypt. Spring Security 3.1 supports BCrypt out of the box.

Further universally valid information can be found in the post Secure hash and salt for PHP passwords.


Need Your Help

Thou shalt not inherit from std::vector

c++ oop inheritance stl vector

Ok, this is really difficult to confess, but I do have a strong temptation at the moment to inherit from std::vector.

How can I set up 'bake' with MAMP on OS X with projects in 'Sites'?

cakephp mamp cakephp-bake .profile

I'm trying to set up 'cake bake' on OS X. I'm using MAMP and every time I try to 'bake', I get this:

About UNIX Resources Network

Original, collect and organize Developers related documents, information and materials, contains jQuery, Html, CSS, MySQL, .NET, ASP.NET, SQL, objective-c, iPhone, Ruby on Rails, C, SQL Server, Ruby, Arrays, Regex, ASP.NET MVC, WPF, XML, Ajax, DataBase, and so on.