Hashing passwords in database

I did the login page for my web application in Eclipse Java using Tomcat and it’s running. I also made my connection to the Oracle database. And now I want to hash my passwords making my app compare the hash code of the password that has been introduced through keyboard and the code of the password from the database(if the hashed codes are equal then the password is correct). I wrote some code in Java for hashing the password.

Could you help me with some ideas about what I have to do to have that hashed code in my database? How can I store that hashed passwords?

You can store your hashed password as a varchar column in your database.

A typical hash algorithm returns an array of bytes. For example, Java’s MessageDigest:

  byte[] digest = messageDigest.digest();

You can store this however you like. You will also need to store:

  • The salt, if used (and you should)
  • A “version number” to identify the hashing algorithm you used.
    • This is so that if one day you change algorithm, you know which one to
      use on old entries.

You could have three columns, hash varbinary, salt varbinary, version integer.

However it’s quite common to encode all three into a single varchar:

  • 2 chars for the version (a hex number)
  • a fixed number of chars for the salt (hex or base64 – width depends on your algorithm and will vary with version)
  • a fixed number of chars for the hash (hex or base64)