📘 Premium Read: Access my best content on Medium member-only articles — deep dives into Java, Spring Boot, Microservices, backend architecture, interview preparation, career advice, and industry-standard best practices.

🎓 Top 15 Udemy Courses (80-90% Discount): My Udemy Courses - Ramesh Fadatare — All my Udemy courses are real-time and project oriented courses.

▶️ Subscribe to My YouTube Channel (176K+ subscribers): Java Guides on YouTube

▶️ For AI, ChatGPT, Web, Tech, and Generative AI, subscribe to another channel: Ramesh Fadatare on YouTube

In this tutorial, we will learn the technique of salted password hashing (SHA-256 algorithm) with an example.

The SHA (Secure Hash Algorithm) is one of the popular cryptographic hash functions. A cryptographic hash can be used to make a signature for a text or a data file. 

The SHA-256 algorithm generates an almost-unique, fixed-size 256-bit (32-byte) hash. This is a one-way function, so the result cannot be decrypted back to the original value.

Java sha256 Hash With Salt Example

package com.avaya.smgr.tm.util;

import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;

public class SecureUtils {

    public static String getSecurePassword(String password, byte[] salt) {

        String generatedPassword = null;
        try {
            MessageDigest md = MessageDigest.getInstance("SHA-256");
            md.update(salt);
            byte[] bytes = md.digest(password.getBytes());
            StringBuilder sb = new StringBuilder();
            for (int i = 0; i < bytes.length; i++) {
                sb.append(Integer.toString((bytes[i] & 0xff) + 0x100, 16).substring(1));
            }
            generatedPassword = sb.toString();
        } catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
        }
        return generatedPassword;
    }

    private static byte[] getSalt() throws NoSuchAlgorithmException {
        SecureRandom random = new SecureRandom();
        byte[] salt = new byte[16];
        random.nextBytes(salt);
        return salt;
    }

    public static void main(String[] args) throws NoSuchAlgorithmException {

        // same salt should be passed
        byte[] salt = getSalt();
        String password1 = getSecurePassword("Password", salt);
        String password2 = getSecurePassword("Password", salt);
        System.out.println(" Password 1 -> " + password1);
        System.out.println(" Password 2 -> " + password2);
        if (password1.equals(password2)) {
            System.out.println("passwords are equal");
        }
    }
}

Output:

 Password 1 -> ef7e71a5f010e4b2dc5ced58c672722e3d7d477b3e30621ac80477ce418459cd
 Password 2 -> ef7e71a5f010e4b2dc5ced58c672722e3d7d477b3e30621ac80477ce418459cd
passwords are equal

Notice that, both the passwords are equal because we are using the same salt for generating the same hashing password.

Let's understand the above example.

Java provides inbuilt MessageDigest class for SHA-256 hashing:

MessageDigest md = MessageDigest.getInstance("SHA-256");

Next, we will be creating a new instance for the SecureRandom class and the nextByte() method generates the random salt.

SecureRandom random = new SecureRandom();
byte[] salt = new byte[16];
random.nextBytes(salt);

We add salt to input using the update() method of MessageDigest:

md.update(salt);

Once we have added the salt we can generate the hashed password using the digest() method:

byte[] bytes = md.digest(password.getBytes(StandardCharsets.UTF_8));

Convert byte[] into a string as:

byte[] bytes = md.digest(password.getBytes(StandardCharsets.UTF_8));
StringBuilder sb = new StringBuilder();
for(int i=0; i< bytes.length ;i++)
{
 sb.append(Integer.toString((bytes[i] & 0xff) + 0x100, 16).substring(1));
}
generatedPassword = sb.toString();

Validate Password

While Storing the password

• Generate a long random salt using SecureRandom.
• Use the Hash function such as SHA256 to hash both Salt and Password together.
• Save both the Salt and the Hash separately in the database.

While Validating the password

• Retrieve the Salt and Hash from the database.
• Use the same Hash function (SHA256) which is used while generating the hash.
• Generate a new Hash with the new password provided and the Salt retrieved from the database.
• Now compare the new hash with the hash from the database. If they match, then the password provided is correct. Otherwise, the password is incorrect.

Have a look into the above example, we are using the same salt to generate the same hashing password and validation.

Conclusion

In this tutorial, we have seen how to generate salted password hashing (SHA-256 algorithm) with an example.

References

• https://en.wikipedia.org/wiki/SHA-2
• https://docs.oracle.com/javase/8/docs/api/java/security/SecureRandom.html.
• https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/security/MessageDigest.html