What password length should I use for a Jasypt-hashed password?

StackOverflow https://stackoverflow.com/questions/14167263

Question

I'm using Java 6, Jasypt, and BouncyCastle to generate hashed passwords. I'm storing them in a MySQL 5.5 db with a default UTF-8 character encoding. I'm trying to figure out how long my VARCHAR password field should be given that I'm using a SHA-256 hashing algorithm and a RandomSaltGenerator of 20 bytes. Here's my declaration in my Spring application context:

<beans:bean id="bcProvider" class="org.bouncycastle.jce.provider.BouncyCastleProvider" /> 

<beans:bean id="jasyptStringDigester" class="org.jasypt.digest.StandardStringDigester">
    <beans:property name="algorithm">
        <beans:value>SHA-256</beans:value>
    </beans:property>
    <beans:property name="provider">
        <beans:ref bean="bcProvider" />
    </beans:property>
    <beans:property name="saltGenerator">
        <beans:ref bean="saltGenerator" />
    </beans:property>
    <beans:property name="saltSizeBytes" value="20" />
</beans:bean>

Thanks for any guidance, - Dave

Was it helpful?

Solution

The output of the SHA-256 hash function is, perhaps unsurprisingly, 256 bits long. The number of characters than makes depends on how you encode it.

A straight binary encoding, 8 bits per byte, would give you 32 bytes, but if you're storing the hash output in a text field, you're probably encoding it using e.g. Base64 (6 bits per char, padded to a multiple of 4 chars, for a total of 44 chars) or possibly hexadecimal (4 bits per char, 64 chars total).

In addition to the hash, it's common for a password field to contain the salt needed to reconstruct it as well. This will add some additional number of characters, which will depend on the exact password hashing scheme, output encoding and parameters (such as your saltSizeBytes) chosen.

Anyway, if the output length of your password hashing method isn't explicitly documented, the easiest way to find it might be to just feed it some test passwords and see what it returns. (Typically, the output should be of constant length.) Then, if you want, add some margin in the database definition just to be sure.

Oh, and as Waleed Khan notes, you really should be using a password hashing method that implements key stretching, such as PBKDF2.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top