In this section the generation of passwords, salt and corresponding hash values will be discussed. We assume
Base64 encoding for the stored salt and hash values.
128 characters are reserved for the encoded salt value. That makes 128×6=768 bits or 96 bytes of salt.
SHA-256
produces a 256 bit (= 32 bytes) checksum. 33 can be divided by 3, that
is a 256 bit checksum encoded with Base64 must be padded with one byte and needs therefore 44 character per 6 bit.
A salt and hash generator would be normally part of the user administration.
Download the salted-hash-generator-2014-07-29.zip to generate
random passwords, random salt and corresponding hash values. Unpack the zip-file within a directory of your choice. Afterwards
edit the setup-java-home
shell script and enter the correct location of a JDK 1.7+.
The salted-hash-generator
comes with
three options:
--generate |
Creates a random 12-digit password and a random 96 byte salt and computes the salted hash value with SHA-256 accordingly.
|
--makehash |
Expects a passord with at least 8 characters, creates the random 96 byte salt and computes the salted hash value with SHA-256 accordingly.
|
--verify |
Expects a to be verified password together with a Base64 encoded salt (exactly 128 characters) and a Base64 encoded hash value (exactly 44 characters). |
Use this options as shown below:
$ ./run-salted-hash-gen.sh --generate ... -----salted-hash-generator----------------------------------------------------- Generated password: VqAXiRXJaGeo Base64 encoded salted hash value: dzctXMR6JL/FTkw+Yc0wviMd1LC+AbN8GKjfSEabDGU= Base64 encoded salt: zyv0pEXihLo6woITKjPkgVeRS66fjIJHkTzbTaJgF9C/fUAEK+3wygXqSi9l7aEOkn0Ocs6W11m4Djzfxs1qA2yuEQPCq5JhkDRw8bjBUJdcfjckbDWZ/+/Op2hA1ICB ------------------------------------------------------------------------------- ...
Obviously --generate
doesn't need further arguments. Use --makehash
to
generate salt and to compute the salted hash value for a user selected password:
$ ./run-salted-hash-gen.sh --makehash "password=testtest" ... -----salted-hash-generator----------------------------------------------------- password = testtest Base64 encoded salted hash value: hnzNTG3O1CsNjvMRIRMvl4K+5B71k6O/zo8kaI5P0aY= Base64 encoded salt: mJ6RUPQmKcEieBOHX6tinwEClEMeaN6ix/c5bqtRRsalZM37bKqoWzZJyBR2o+7ASv7tchOwFzpZyP/3Z9Biu/CbuERpHg7y+hzi7Pn04dIJlRg7MQs/0L8YZWaIplNn ------------------------------------------------------------------------------- ...
The --verify
option checks a given plaintext password against the salted hash value:
$ ./run-salted-hash-gen.sh --verify "password=testtest, salt=mJ6RUPQmKcEieBOHX6tinwEClEMeaN6ix/c5bqtRRsalZM37bKqoWzZJyBR2o+7ASv7tchOwFzpZyP/3Z9Biu/CbuERpHg7y+hzi7Pn04dIJlRg7MQs/0L8YZWaIplNn, hash=hnzNTG3O1CsNjvMRIRMvl4K+5B71k6O/zo8kaI5P0aY=" ... -----salted-hash-generator----------------------------------------------------- password = testtest Base64 encoded salt = mJ6RUPQmKcEieBOHX6tinwEClEMeaN6ix/c5bqtRRsalZM37bKqoWzZJyBR2o+7ASv7tchOwFzpZyP/3Z9Biu/CbuERpHg7y+hzi7Pn04dIJlRg7MQs/0L8YZWaIplNn Base64 encoded salted hash value = hnzNTG3O1CsNjvMRIRMvl4K+5B71k6O/zo8kaI5P0aY= verified = true ------------------------------------------------------------------------------- ...