I'm writing a program where I use MD5 to hash login details before I send them to a server, but there I have to compare it to a blowfish (jBCrypt) hashed password retrieved from a database.
jBCrypt uses:
if (BCrypt.checkpw("candidatePassword", hashedPwd)) {
// they are the same
}
The problem is that, I don't have a candidate password to test. How can I have both secure transmission of my login details and secure storage of these details on the database. What is the best way to approach this?
I use username, timestamp, random bytes and password to create my md5 digest value.
Thanks, Vladimir
Given only the two hashes, you can't1. Hashes are designed to be one-way; you can't recover the original data from the hash, which is why storing hashed passwords is deemed more secure than storing encrypted passwords.
So the only way to validate data against a hash is to hash the data and see if the result matches.
1 Of course, words such as can't and only really mean "unless you use brute force...." The theories behind these algorithms prove that they are "reasonably" secure, but one must always remember the difference between theory and practice: in theory, there is no difference.