Password4j - A Java Library for Hashing & Checking Password

Password4j 

Password4j is a Java user-friendly cryptographic library for hashing and checking passwords with different Key derivation functions (KDFs) and Cryptographic hash functions (CHFs).

Algorithms can be configured programmatically or through a property file in your classpath see Configuration section.

The configurations are mostly dependent on your environment. Password4j delivers a tool that can create a set of optimal parameters based on the system performance and the desired maximum computational time see Performance section.

Hash Verify

The library fully supports Argon2, bcrypt, scrypt and PBKDF2 and can produce and handle cryptographic salt and pepper.

Maven Maven

Add the dependency of the latest version to your pom.xml:

<dependency>
    <groupId>com.password4j</groupId>
    <artifactId>password4j</artifactId>
    <version>1.6.0</version>
</dependency>

Gradle Gradle

Add to your build.gradle module dependencies:

repositories {
    mavenCentral()
}

dependencies {
    implementation 'com.password4j:password4j:1.6.0'
}

Scala SBT Scala SBT

Add to the managed dependencies of your build.sbt the latest version:

libraryDependencies += "com.password4j" % "password4j" % "1.6.0"

Usage

Password4j provides three main features: password hashing, hash checking and hash updating.

Hash the password

Here it is the easiest way to hash a password with a CHF (bcrypt in this case)

Hash hash = Password.hash(password).withBcrypt();

Salt and pepper may be optionally added to the builder (PBKDF2 in this case):

// PBKDF2 with salt 12 bytes long (randomly generated).
Hash hash = Password.hash(password).addRandomSalt(12).withPBKDF2();

// PBKDF2 with a chosen salt.
Hash hash = Password.hash(password).addSalt(salt).withPBKDF2();

// PBKDF2 with chosen salt and pepper.
Hash hash = Password.hash(password).addSalt(salt).addPepper(pepper).withPBKDF2();

// Custom PBKDF2 (PBKDF2 with HMAC-SHA512, 64000 iterations and 512bit length).
Hash hash = Password.hash(password).with(PBKDF2Function.getInstance(Hmac.SHA512, 64000, 512));

The same structure can be adopted for the other CHFs, not just for PBKDF2.

Verify the hash

With the same ease you can verify the hash:

boolean verified = Password.check(password, hash).withBcrypt();

Salt and pepper may be optionally added to the builder (PBKDF2 in this case):

// Verify with PBKDF2.
boolean verification = Password.check(password, hash).withPBKDF2();

// Verify with PBKDF2 and manually provided salt.
boolean verification = Password.check(password, hash).addSalt(salt).withPBKDF2();

// Verify with PBKDF2 and manually provided salt and pepper.
boolean verification = Password.check(password, hash).addSalt(salt).addPepper(pepper).withPBKDF2();

The same structure can be adopted for the other algorithms, not just for PBKDF2. Take in account that Argon2, bcrypt and scrypt store the salt inside the hash, so the addSalt() method is not needed.

// Verify with Argon2, reads the salt from the given hash.
boolean verification = Password.check(password, hash).withArgon2();

Some algorithms encode into the hash the parameters that were used to compute that hash, notably bcrypt, scrypt, and Argon2. When checking a hash, you can use the parameters from the hash rather than Password4j's configured defaults.

// Verify with Argon2, reads the salt and parameters from the given hash.
boolean verification = Password.check(password, hash)..with(Argon2Function.getInstanceFromHash(hash)));

Update the hash

When a configuration is not considered anymore secure you can refresh the hash with a more modern algorithm like this:

// Reads the latest configurations in your psw4j.properties
HashUpdate update = Password.check(password, hash).update().withBcrypt();

if(update.isVerified())
{
    Hash newHash = update.getHash();
}

Or if you want to switch from a CHF to another one:

PBKDF2Function pbkdf2 = AlgorithmFinder.getPBKDF2Instance();
HashUpdate update = Password.check(password, hash).update().withScrypt(pbkdf2);

if(update.isVerified())
{
    Hash newHash = update.getHash();
}

Unsecure Algorithms

Many systems may still use unsecure algorithms for storing the passwords, like MD5 or SHA-256. You can easily migrate to stronger algorithms with Password4j

MessageDigestFunction md = MessageDigestFunction.getInstance("SHA-256");
HashUpdate update = Password.check(password, hash).update().withScrypt(md);

if(update.isVerified())
{
    Hash newHash = update.getHash();
}

List of supported algorithms

Key derivation FunctionsSinceNotes
PBKDF21.0.0Depending on the Security Services your JVM provides
bcrypt1.0.0 
scrypt1.0.0 
Argon21.5.0 
Cryptographic Hash FunctionsSinceNotes
MD Family1.4.0 
SHA1 Family1.4.0 
SHA2 Family1.4.0 
SHA3 FAmily1.4.0Depending on the Security Providers your JVM provides

Security of Strings

Strings are immutable objects and once stored in memory you cannot erase them until Garbage Collection. It is always recommended to use char[] instead of String for storing passwords(where possible - If we're talking of a web application, most web containers will pass the password into the HttpServletRequest object in plaintext as String).

An attacker that is able to dump the memory could read the password before you use it as input for Password4j; even if it is read after its usage, it is not guaranteed when the garbage collection occurs: that means that the password may be stored in memory indefinitely and its value cannot be erased.

For this reason Password4j provides a SecureString class that alleviates this problem. The provided char[] is wrapped around SecureString and it is never converted into a String during the process.

You can erase the underlying char[] with clear() method.

SecureString secure = new SecureString(new char[]{...});

Password.hash(secure).withBcrypt();
Password.check(secure, hash).withBcrypt();

secure.clear();
// At this point the underlying char[] = {\0, \0, \0, ...}

In addition to this, you may want to clean the original char[]. With the following code even the source is zeroed:

char[] password = {...}
SecureString secure = new SecureString(password, true);

// At this point password = {\0, \0, \0, ...}

The pepper can be expressed as SecureString as well.

Using SecureString or char[] does not completely defend you from attacks: the Garbage Collector constantly copies objects from the from space to the to space and ereasing the original char[] does not erase its copies; moreover it is never guaranteed that clear() is applied before the garbage collection. For these reasons the usage of SecureString or char[] just reduces the window of opportunities for an attacker.

JCA

Password4j is compatible with JCA. See this project for more details.

Configuration

Password4j makes available a portable way to configure the library.

With the property file psw4j.properties put in your classpath, you can define the parameters of all the supported CHFs or just the CHF(s) you need. Alternatively you can specify a custom path with the system property -Dpsw4j.configuration

java -Dpsw4j.configuration=/my/path/to/some.properties ...

Here's a basic configuration (please do not use it in production, but instead start a benchmark session in your target environmentsee Performance section)

### Argon2
hash.argon2.memory=4096
hash.argon2.iterations=20
hash.argon2.length=128
hash.argon2.parallelism=4
hash.argon2.type=id


### bcrypt
hash.bcrypt.minor=b
# logarithmic cost (cost = 2^12)
hash.bcrypt.rounds=12


### scrypt
# N
hash.scrypt.workfactor=16384
# r
hash.scrypt.resources=16
# p
hash.scrypt.parallelization=1
# length
hash.scrypt.derivedKeyLength=64

### PBKDF2
# with HMAC-SHA256
hash.pbkdf2.algorithm=SHA256
# 64000 iterations
hash.pbkdf2.iterations=64000
# derived key of 256bit 
hash.pbkdf2.length=256


### Legacy MessageDisgest
# algorithm
hash.md.algorithm=SHA-512
# append/prepend salt
hash.md.salt.option=append

Additionally you can define here your shared pepper

global.pepper=AlicePepper

and use it like this

// Hash
Password.hash("password").addPepper().withScrypt();

// Verify
Password.check("password", "hash").addPepper().withScrypt();

SecureRandom may be instantiated and used through SecureRandom.getInstanceStrong() to generate salts and peppers.

global.random.strong=true

but make sure that your JVM supports it and it points to a non-blocking source of entropy, otherwise you may experience huge performance dropssee SecureRandom.

Performance

This tool must be used in the target system because performances may vary on different environments.

Password4j is delivered with a tool that helps the developers to choose the right parameters for a specific CHF.

The class SystemChecker can be used to find these optimal values.

In the wiki you can find how to configure PBKDF2, bcrypt, scrypt and Argon2 depending on your responsiveness requirements.

Documentation

The full documentation can be found here. For a quick start you can follow the instuctions in the README.md.

The javadoc can be found here.

Installation

Password4j runs on Java 8 or higher versions by any vendor. It is supported by Android API 21+ as well.

The artifacts are deployed to Maven Central.

Download details:
Author: Password4j
Source code: https://github.com/Password4j/password4j
License: Apache-2.0 license

#java #security

What is GEEK

Buddha Community

Password4j - A Java Library for Hashing & Checking Password
Tyrique  Littel

Tyrique Littel

1600135200

How to Install OpenJDK 11 on CentOS 8

What is OpenJDK?

OpenJDk or Open Java Development Kit is a free, open-source framework of the Java Platform, Standard Edition (or Java SE). It contains the virtual machine, the Java Class Library, and the Java compiler. The difference between the Oracle OpenJDK and Oracle JDK is that OpenJDK is a source code reference point for the open-source model. Simultaneously, the Oracle JDK is a continuation or advanced model of the OpenJDK, which is not open source and requires a license to use.

In this article, we will be installing OpenJDK on Centos 8.

#tutorials #alternatives #centos #centos 8 #configuration #dnf #frameworks #java #java development kit #java ee #java environment variables #java framework #java jdk #java jre #java platform #java sdk #java se #jdk #jre #open java development kit #open source #openjdk #openjdk 11 #openjdk 8 #openjdk runtime environment

Ayan Code

1656193861

Simple Login Page in HTML and CSS | Source Code

Hello guys, Today in this post we’ll learn How to Create a Simple Login Page with a fantastic design. To create it we are going to use pure CSS and HTML. Hope you enjoy this post.

A login page is one of the most important component of a website or app that allows authorized users to access an entire site or a part of a website. You would have already seen them when visiting a website. Let's head to create it.

Whether it’s a signup or login page, it should be catchy, user-friendly and easy to use. These types of Forms lead to increased sales, lead generation, and customer growth.


Demo

Click to watch demo!

Simple Login Page HTML CSS (source code)

<!DOCTYPE html>
  <html lang="en" >
  <head>
    <meta charset="UTF-8">
    <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css">
  <link rel="stylesheet" href="styledfer.css">
  </head>

  <body>
   <div id="login-form-wrap">
    <h2>Login</h2>
    <form id="login-form">
      <p>
      <input type="email" id="email" name="email" placeholder="Email " required><i class="validation"><span></span><span></span></i>
      </p>
      <p>
      <input type="password" id="password" name="password" placeholder="Password" required><i class="validation"><span></span><span></span></i>
      </p>
      <p>
      <input type="submit" id="login" value="Login">
      </p>

      </form>
    <div id="create-account-wrap">
      <p>Don't have an accout? <a href="#">Create One</a><p>
    </div>
   </div>
    
  <script src='https://code.jquery.com/jquery-2.2.4.min.js'></script>
  <script src='https://cdnjs.cloudflare.com/ajax/libs/jquery-validate/1.15.0/jquery.validate.min.js'></script>
  </body>
</html>

CSS CODE

body {
  background-color: #020202;
  font-size: 1.6rem;
  font-family: "Open Sans", sans-serif;
  color: #2b3e51;
}
h2 {
  font-weight: 300;
  text-align: center;
}
p {
  position: relative;
}
a,
a:link,
a:visited,
a:active {
  color: #ff9100;
  -webkit-transition: all 0.2s ease;
  transition: all 0.2s ease;
}
a:focus, a:hover,
a:link:focus,
a:link:hover,
a:visited:focus,
a:visited:hover,
a:active:focus,
a:active:hover {
  color: #ff9f22;
  -webkit-transition: all 0.2s ease;
  transition: all 0.2s ease;
}
#login-form-wrap {
  background-color: #fff;
  width: 16em;
  margin: 30px auto;
  text-align: center;
  padding: 20px 0 0 0;
  border-radius: 4px;
  box-shadow: 0px 30px 50px 0px rgba(0, 0, 0, 0.2);
}
#login-form {
  padding: 0 60px;
}
input {
  display: block;
  box-sizing: border-box;
  width: 100%;
  outline: none;
  height: 60px;
  line-height: 60px;
  border-radius: 4px;
}
#email,
#password {
  width: 100%;
  padding: 0 0 0 10px;
  margin: 0;
  color: #8a8b8e;
  border: 1px solid #c2c0ca;
  font-style: normal;
  font-size: 16px;
  -webkit-appearance: none;
     -moz-appearance: none;
          appearance: none;
  position: relative;
  display: inline-block;
  background: none;
}
#email:focus,
#password:focus {
  border-color: #3ca9e2;
}
#email:focus:invalid,
#password:focus:invalid {
  color: #cc1e2b;
  border-color: #cc1e2b;
}
#email:valid ~ .validation,
#password:valid ~ .validation 
{
  display: block;
  border-color: #0C0;
}
#email:valid ~ .validation span,
#password:valid ~ .validation span{
  background: #0C0;
  position: absolute;
  border-radius: 6px;
}
#email:valid ~ .validation span:first-child,
#password:valid ~ .validation span:first-child{
  top: 30px;
  left: 14px;
  width: 20px;
  height: 3px;
  -webkit-transform: rotate(-45deg);
          transform: rotate(-45deg);
}
#email:valid ~ .validation span:last-child
#password:valid ~ .validation span:last-child
{
  top: 35px;
  left: 8px;
  width: 11px;
  height: 3px;
  -webkit-transform: rotate(45deg);
          transform: rotate(45deg);
}
.validation {
  display: none;
  position: absolute;
  content: " ";
  height: 60px;
  width: 30px;
  right: 15px;
  top: 0px;
}
input[type="submit"] {
  border: none;
  display: block;
  background-color: #ff9100;
  color: #fff;
  font-weight: bold;
  text-transform: uppercase;
  cursor: pointer;
  -webkit-transition: all 0.2s ease;
  transition: all 0.2s ease;
  font-size: 18px;
  position: relative;
  display: inline-block;
  cursor: pointer;
  text-align: center;
}
input[type="submit"]:hover {
  background-color: #ff9b17;
  -webkit-transition: all 0.2s ease;
  transition: all 0.2s ease;
}

#create-account-wrap {
  background-color: #eeedf1;
  color: #8a8b8e;
  font-size: 14px;
  width: 100%;
  padding: 10px 0;
  border-radius: 0 0 4px 4px;
}

Congratulations! You have now successfully created our Simple Login Page in HTML and CSS.

My Website: codewithayan, see this to checkout all of my amazing Tutorials.

Samanta  Moore

Samanta Moore

1620458875

Going Beyond Java 8: Local Variable Type Inference (var) - DZone Java

According to some surveys, such as JetBrains’s great survey, Java 8 is currently the most used version of Java, despite being a 2014 release.

What you are reading is one in a series of articles titled ‘Going beyond Java 8,’ inspired by the contents of my book, Java for Aliens. These articles will guide you step-by-step through the most important features introduced to the language, starting from version 9. The aim is to make you aware of how important it is to move forward from Java 8, explaining the enormous advantages that the latest versions of the language offer.

In this article, we will talk about the most important new feature introduced with Java 10. Officially called local variable type inference, this feature is better known as the **introduction of the word **var. Despite the complicated name, it is actually quite a simple feature to use. However, some observations need to be made before we can see the impact that the introduction of the word var has on other pre-existing characteristics.

#java #java 11 #java 10 #java 12 #var #java 14 #java 13 #java 15 #verbosity

Macey  Legros

Macey Legros

1599329700

Hashing In Java Example | Java Hashing Tutorial With Example

Hashing In Java is a technique that is used for mapping values to the key, which in turn makes it easy to retrieve values by just entering the key. The main advantage of using HASHING in java is that it reduces the time complexity of any program and allows the execution time of essential operation to remain constant even for the more significant side given. But the main problem of the hashing function is that it leads to the collision as two or more keys can point to the same values.

If we want to avoid this chain, hashing is mainly used. So, to insert a value in a hash table, the main requirement is a hash index which is calculated using the formula.

Hashing In Java Example

In hashing, there is the hash function that maps keys to some values.

But these hashing functions may lead to a collision that is two or more keys are mapped to the same value.

#java #java hashing #hashing

Samanta  Moore

Samanta Moore

1620462686

Spring Boot and Java 16 Records

In this article, we will discuss Java 16’s newest feature, Records. Then we will apply this knowledge and use it in conjunction with a Spring Boot application.

On March 16th, 2021, Java 16 was GA. With this new release, tons of new exciting features have been added. Check out the release notes to know more about these changes in detail. This article’s focus will be on Java Records, which got delivered with JEP 395. Records were first introduced in JDK 14 as a preview feature proposed by JEP 359, and with JDK 15, they remained in preview with JEP 384. However, with JDK 16, Records are no longer in preview.

I have picked Records because they are definitely the most favored feature added in Java 16, according to this Twitter poll by Java Champion Mala Gupta.

I also conducted a similar survey, but it was focused on features from Java 8 onwards. The results were not unexpected, as Java 8 is still widely used. Very unfortunate, though, as tons of new features and improvements are added to newer Java versions. But in terms of features, Java 8 was definitely a game-changer from a developer perspective.

So let’s discuss what the fuss is about Java Records.

#java #springboot #java programming #records #java tutorials #java programmer #java records #java 16