Hash (with Spring) and salt: is this safe?
I've a Spring based web app, so I came up using spring-security-3.0.8 (I know, that's not a good reason, lol) and I find out the PasswordEncoder class. In my case I'm using the Md5PasswordEncoder, but I'm not sure if could be the best implementation.
The salt is generated by a SecureRandom.
The whole code is something like this:
String salt = new BigInteger(130, random).toString(32); user.setSalt(salt); user.setPassword(passwordEncoder.encodePassword(user.getPassword(), salt)); db.save(user);
I don't really need big security but it's just for knowledge's sake. :)
(what about making the salt big as the hash putting the bit to 160?)
Further universally valid information can be found in the post Secure hash and salt for PHP passwords.