Package alpine.auth

Class PasswordService

  • public final class PasswordService
extends Object
    Alpine PasswordService that provides a secure method of hashing and validating user passwords. Internally, PasswordService uses a combination of SHA-512 and BCrypt for these functions. The password goes through the following flow during the hashing process: Password » SHA-512 » BCrypt (per-user salt, default rounds: 14) In this flow, a user password is hashed using SHA-512 which creates a 128 character HEX representation of a hash. This is called the prehash. The prehash acts to both 'extend' the password and to introduce built-in denial-of-service protection from exceptionally long passwords. Once the password is prehashed, it's sent to BCrypt where a per-user salt is used and the password is properly hashed. Both the creation and verification of hashes go through this process. Additionally, this class contains a method which will determine if a password should be rehashed due to an increase in rounds defined on the server.
    Since:
    1.0.0
    Author:
    Steve Springett

    • Method Summary

      All Methods Static Methods Concrete Methods 
      Modifier and Type Method Description
      static char[] createHash​(char[] password)
      Given a password to hash, this method will first prehash the password using SHA-512 thus creating a 128 character HEX representation of the password, which is then sent to BCrypt where a unique salt is generated and the prehashed password is properly hashed using the configured BCrypt work factor (determined by Config.AlpineKey.BCRYPT_ROUNDS.
      static char[] createHash​(char[] password, char[] salt)
      Given a password to hash, this method will first prehash the password using SHA-512 thus creating a 128 character HEX representation of the password, which is then sent to BCrypt where the prehashed password is properly hashed using the specified salt and uses the configured BCrypt work factor (determined by Config.AlpineKey.BCRYPT_ROUNDS.
      static boolean matches​(char[] assertedPassword, ManagedUser user)
      Checks the validity of the asserted password against a ManagedUsers actual hashed password.
      static boolean shouldRehash​(char[] bcryptHash)
      Checks the asserted BCrypt formatted hashed password and determines if the password should be rehashed or not.

    • Method Detail

      • createHash

        public static char[] createHash​(char[] password)
        Given a password to hash, this method will first prehash the password using SHA-512 thus creating a 128 character HEX representation of the password, which is then sent to BCrypt where a unique salt is generated and the prehashed password is properly hashed using the configured BCrypt work factor (determined by Config.AlpineKey.BCRYPT_ROUNDS.
        Parameters:
        password - the password to hash
        Returns:
        a hashed password
        Since:
        1.0.0

      • createHash

        public static char[] createHash​(char[] password,
                                char[] salt)
        Given a password to hash, this method will first prehash the password using SHA-512 thus creating a 128 character HEX representation of the password, which is then sent to BCrypt where the prehashed password is properly hashed using the specified salt and uses the configured BCrypt work factor (determined by Config.AlpineKey.BCRYPT_ROUNDS.
        Parameters:
        password - the password to hash
        salt - the salt to use when hashing this password
        Returns:
        a hashed password
        Since:
        1.0.0

      • matches

        public static boolean matches​(char[] assertedPassword,
                              ManagedUser user)
        Checks the validity of the asserted password against a ManagedUsers actual hashed password.
        Parameters:
        assertedPassword - the clear text password to check
        user - The ManagedUser to check the password of
        Returns:
        true if assertedPassword matches the expected password of the ManangedUser, false if not
        Since:
        1.0.0

      • shouldRehash

        public static boolean shouldRehash​(char[] bcryptHash)
        Checks the asserted BCrypt formatted hashed password and determines if the password should be rehashed or not. If the BCrypt work factor is increased (from 12 to 14 for example), passwords should be evaluated and if the existing stored hash uses a work factor less than what is configured, then the bcryptHash should be rehashed. The same does not apply in reverse. Stored hashed passwords with a work factor greater than the configured work factor will return false, meaning they should not be rehashed. If the bcryptHash length is less than the minimum length of a BCrypt hash, this method will return true.
        Parameters:
        bcryptHash - the hashed BCrypt to check
        Returns:
        true if the password should be rehashed, false if not
        Since:
        1.0.0