2
\$\begingroup\$

This is my account table:

CREATE TABLE mwUser (
 username varchar2(20) primary key not null, 
 salt varchar2(64) unique not null,
 hashedpw varchar2(64) not null, 
 email varchar2(320) unique not null 
);

When I register a new user with my java webservice I automatically generate a random salt and store in the database base (see code below):

Connection c = dataSource.getConnection(); 
Statement stmt = c.createStatement();
boolean isFound=true;
String randomSalt="";
while(isFound){
 isFound=false;
 String randomSalt=createRandomString(); //creates salt/random string
 ResultSet rs = stmt.executeQuery("SELECT * FROM mvUser where salt="+randomString);
 //check if salt is unique
 while (rs.next()) {
 isFound=true;
 }
}
Statement insertStmt = c.createStatement();
String hashedPW=hash(randomSalt+pw); //generates hashed pw
ResultSet rs = stmt.executeQuery("INSERT INTO mvUser VALUES(.....));
stmt.close();
c.close();

But as you can see, from my point of view my code is not clean/performant/readable because I have two statements (for checking if salt is unique and and second statement is for inserting).

How can I automatically generate an unique string(salt) and hash it at the same time. I am trying to make my code more performant and read able.

200_success
145k22 gold badges190 silver badges478 bronze badges
asked Jun 12, 2019 at 1:46
\$\endgroup\$

1 Answer 1

4
\$\begingroup\$

Please use best practices in general when dealing with password hashing.

  • If you have to verify the database for your generated salt to be unique, you're using a bad salt generator. Make sure to focus on using a good generator instead.
  • Your hash function also seems weak. Consider using key stretching.

This should not be required:

while(isFound){
 isFound=false;
 String randomSalt=createRandomString(); //creates salt/random string
 ResultSet rs = stmt.executeQuery("SELECT * FROM mvUser where salt="+randomString);
 //check if salt is unique
 while (rs.next()) {
 isFound=true;
 }
}

And for hash, I would expect something like below, where hash is an established hash library (PBKDF2, bcrypt, scrypt, ..).

var hashedPW = hash(iterations, randomSalt, pw);
answered Jun 12, 2019 at 4:38
\$\endgroup\$
3
  • 1
    \$\begingroup\$ but even a good salt generator doesnt ensure that the salt is unique? The likelihood that the salt already exsists is just smaller? \$\endgroup\$ Commented Jun 12, 2019 at 10:14
  • \$\begingroup\$ @Lebron11 Exactly, and in combination with a variable number of iterations, even if two users happen to have the same plain text password and salt, they would end up having different hashes. \$\endgroup\$ Commented Jun 12, 2019 at 10:25
  • 1
    \$\begingroup\$ And even if they don't, the chances of that happening are extremely small. So I doubt there's much risk after that. I mean, what attack is going to abuse 2 random users having the same hash if you don't know which 2 users it's about? \$\endgroup\$ Commented Jun 12, 2019 at 12:53

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.