Home/ Questions/Q 6054631
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T08:10:29+00:00

Can someone provide an example for java/android on how to hash a password using

  • 0

  1. Can someone provide an example for java/android on how to hash a password using PW_HASH_ITERATION_COUNT iterations of sha512 + salt?

    in pseudo code:

    hash = sha512(concat(pw,salt));
for (i = 1; i<PW_HASH_ITERATION_COUNT; i++){
    hash = sha512(concat(hash,concat(pw,salt)));
}

    Where z = concat(x,y) is the concatenation of x and y.

    Maybe using MessageDigest ?

  2. What would you suggest as PW_HASH_ITERATION_COUNT? How many iterations would be the maximum so that this might even run on some older devices (2.1+)

UPDATE UPDATE UPDATE

Due to good reasons, we will use bcrypt to encrypt our passwords. We use the jBCrypt implementation.

Anyway.. to answer the question… this is the code for the question above to use SHA-512 with the MessageDigest:

import java.io.UnsupportedEncodingException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import de.seduceme.utils.Base64;

public class PwStorage {
    public static int PW_HASH_ITERATION_COUNT = 5000;
    private static MessageDigest md;

    public static void main(String[] args) {
        String pw = "teüöäßÖst1";
        String salt = "e33ptcbnto8wo8c4o48kwws0g8ksck0";

        try {
            md = MessageDigest.getInstance("SHA-512");
        } catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
            throw new RuntimeException("No Such Algorithm");
        }

        String result = PwStorage.hashPw(pw, salt);
        System.out.println(result);
        // result: 2SzT+ikuO9FBq7KJWulZy2uZYujLjFkSpcOwlfBhi6VvajJMr6gxuRo5WvilrMlcM/44u2q8Y1smUlidZQrLCQ==
    }


    private static String hashPw(String pw, String salt) {
        byte[] bSalt;
        byte[] bPw;

        try {
            bSalt = salt.getBytes("UTF-8");
            bPw = pw.getBytes("UTF-8");
        } catch (UnsupportedEncodingException e) {
            throw new RuntimeException("Unsupported Encoding", e);
        }

        byte[] digest = run(bPw, bSalt);
        for (int i = 0; i < PW_HASH_ITERATION_COUNT - 1; i++) {
            digest = run(digest, bSalt);
        }

        return Base64.encodeBytes(digest);
    }

    private static byte[] run(byte[] input, byte[] salt) {
        md.update(input);
        return md.digest(salt);
    }
}

With this Base64 lib.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Read my post here, especially the post I linked to about password hashing.

    • You should ideally use bcrypt or scrypt rather than doing your own password hashing.
    • But if you must, you should run for a few thousand iterations at the minimum, preferably more.

    Yes, you can use MessageDigest for SHA-512. Each time you call digest, the state of the object automatically resets, which is really handy—you can start updating for the next iteration straight away.

    But I still think you should use bcrypt or scrypt instead. For your own good, and the good of your users. 🙂

    • 0