Git Product home page Git Product logo

heimdall's Introduction

Heimdall Logo

Heimdall - Secure Password Hashing

Build Status License Download

This library implements a secure and upgradeable password hashing mechanism. See this blog post for details.

Why not just use PBKDF2, scrypt, bcrypt, etc.?

Actually, this library uses (some of) these algorithms. But it makes it easier for you: no need to worry about iterations, salt generation and the same. And if a flaw is discovered in one of the algorithms, the library makes sure that the hashes in your database are automatically updated to a secure format (provided you use the pattern as shown in the usage block down below).

Usage

Dependencies

The JARs are available via JCenter and Maven Central. If you are using Maven to build your project, add the following to the pom.xml file:

<dependencies>
    <dependency>
        <groupId>de.qaware.heimdall</groupId>
        <artifactId>heimdall</artifactId>
        <version>$LATEST_VERSION</version>
    </dependency>
</dependencies>

In case you are using Gradle to build your project, add the following to the build.gradle file:

repositories {
    jcenter()    
    mavenCentral()
}

dependencies {
	compile 'de.qaware.heimdall:heimdall:$LATEST_VERSION'
}

Replace $LATEST_VERSION with the version from this badge:

Download

Create a hash

Password password = PasswordFactory.create();

try(SecureCharArray cleartext = new SecureCharArray(...)) { // Read cleartext password from user
    String hash = password.hash(cleartext);
    // Persist the hash in a database etc...
}

Verify the hash

Password password = PasswordFactory.create();

String hash = ... // Load hash from persistent storage
try(SecureCharArray cleartext = new SecureCharArray(...)) { // Read cleartext password from user
    if (password.verify(cleartext, hash)) {
        if (password.needsRehash(hash)) { // Check if the hash uses an old hash algorithm, insecure parameters, etc.
            String newHash = password.hash(cleartext);
            // Persist the new hash in a database etc...
        }

        // Password is correct, proceed...
    } else {
        // Password is incorrect
    }
}

Changes

Looking for a change log?

Technical details

By default this library uses the PBKDF2 SHA-1 HMAC (PBKDF2WithHmacSHA1) with 20000 iterations and 192 bit (24 byte) of salt.

Useful resources

Maintainer

Moritz Kammerer (@phxql), [email protected]

Contributors

See the list of contributors.

License

This software is provided under the MIT open source license, read the LICENSE.txt file for details.

heimdall's People

Contributors

adersberger avatar fuchshuber avatar lreimer avatar phxql avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

hascode semtle swmarozimp isabella232

heimdall's Issues

Suggestion: Improve hashing strength on compatible systems

A PR which implements hashing with PBKDF2 SHA-256 had do be declined because Android doesn't support that algorithm.

Maybe we should implement a platform specific list of hash algorithms in a config to always select the strongest available. That way, a real Java application would get HMAC-SHA256 while Android stays on HMAC-SHA1.

Downsides: That way, a hash encoded with Heimdall on Windows can't be used anymore on Android, even if they hadve been created with the same Heimdall version.

javax.xml.bind.DatatypeConverter isn't available on Android

Hi,

I'm trying to use the library in an Android project but the javax.xml.bind.DatatypeConverter class isn't available on Android. Is there any chance you can tweak the dependancies to use either the Base64 class supplied by Android or make a dependancy on commons-codec.

Thanks,

Andy.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.