I am developing a small web app that internally authenticates users. Once the user is authenticated my web app then passes some information such as userID and Person’s name to a third party web application. The third party developer is suggesting that we hash and salt the values.
Forgive my ignorance, but what exactly does that mean?
I am writing the app in Java. So what I am planning on doing is hashing the userID, Person’s name, and some Math.random() value as the salt with Apache Commons Digest Utils SHA512 and passing that hashed string along with the userID and person’s name.
Is that the standard practice?
I should be passing the third party the salt as well correct?
A salt is normally used for storing hashes of passwords safely. Hashing a password for storage or communication (such that it can’t be read by others) is vulnerable for decoding by using rainbow tables. Now, when you add a random string to the password, but store the string with the hash, this becomes much harder. Calculating this new hash looks like:
or even
To safely log into a third party website, can send the UserID, salted hash (from above) and the salt that you used (if it is not given). Depending on how that website stored its passwords, you can generate the salt for yourself or you can ask for a salt from it.
One option is to send the UserID first to the website, then let it respond with the salt, and then send the
hash(password+salt))back to the website.