Help us understand the problem. What is going on with this article?

Javaでパスワードをハッシュ化するのに良い方法を調べてみた

More than 1 year has passed since last update.

Javaでパスワードをハッシュ化するのに良い方法を調べたのでメモしておく

要件・方針

  • 必要な全情報が攻撃者の手に入ってオフラインで解析されても困らない。
  • 強力なHASH関数と、アカウント毎に違うSalt、そしてストレッチングが必要。
  • SaltはHASH化されたパスワードと一緒に保管してOK
  • Saltとストレッチングの処理は、独自実装ではなく既存のアルゴリズムの既存実装使う
    • PBKDF2 とか Bcrypt, Scrypt など。
    • JCA(Java Cryptography Architecture) が利用出来るなら最善だろう。そうでなければ著名プロジェクトの物を使いたい

参考

Javaによる実装

まとめ

  • java7以前なら、Spring SecurityのBcrypt実装を使うのがよさそう。
  • java8以降なら、JCAのPBKDF2をHMAC-SHA-256で利用。またはSpring SecurityのBcrypt実装を使うのがよさそう。

PBKDF2

Bcrypt

参考:http://terasolunaorg.github.io/guideline/public_review/Security/PasswordHashing.html

Scrypt

  • JCAや著名プロジェクトによる実装がない
Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
Comments
No comments
Sign up for free and join this conversation.
If you already have a Qiita account
Why do not you register as a user and use Qiita more conveniently?
You need to log in to use this function. Qiita can be used more conveniently after logging in.
You seem to be reading articles frequently this month. Qiita can be used more conveniently after logging in.
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
ユーザーは見つかりませんでした