📘 Premium Read: Access my best content on Medium member-only articles — deep dives into Java, Spring Boot, Microservices, backend architecture, interview preparation, career advice, and industry-standard best practices.

🎓 Top 15 Udemy Courses (80-90% Discount): My Udemy Courses - Ramesh Fadatare — All my Udemy courses are real-time and project oriented courses.

▶️ Subscribe to My YouTube Channel (176K+ subscribers): Java Guides on YouTube

▶️ For AI, ChatGPT, Web, Tech, and Generative AI, subscribe to another channel: Ramesh Fadatare on YouTube

In this tutorial, we will learn the technique of generating the hashed password using the SHA-256 algorithm and we will see how to add salt to secure more with an example.

The SHA (Secure Hash Algorithm) is one of the popular cryptographic hash functions. A cryptographic hash can be used to make a signature for a text or a data file. 

The SHA-256 algorithm generates an almost-unique, fixed-size 512-bit hash. This is a one-way function, so the result cannot be decrypted back to the original value.

Java SHA-512 Hash With Salt Example

package com.avaya.smgr.tm.util;

import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;

public class SecureUtils {

    public static String getSecurePassword(String password, byte[] salt) {

        String generatedPassword = null;
        try {
            MessageDigest md = MessageDigest.getInstance("SHA-512");
            md.update(salt);
            byte[] bytes = md.digest(password.getBytes(StandardCharsets.UTF_8));
            StringBuilder sb = new StringBuilder();
            for (int i = 0; i < bytes.length; i++) {
                sb.append(Integer.toString((bytes[i] & 0xff) + 0x100, 16).substring(1));
            }
            generatedPassword = sb.toString();
        } catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
        }
        return generatedPassword;
    }

    private static byte[] getSalt() throws NoSuchAlgorithmException {
        SecureRandom random = new SecureRandom();
        byte[] salt = new byte[16];
        random.nextBytes(salt);
        return salt;
    }

    public static void main(String[] args) throws NoSuchAlgorithmException {

        // same salt should be passed
        byte[] salt = getSalt();
        String password1 = getSecurePassword("Password", salt);
        String password2 = getSecurePassword("Password", salt);
        System.out.println(" Password 1 -> " + password1);
        System.out.println(" Password 2 -> " + password2);
        if (password1.equals(password2)) {
            System.out.println("passwords are equal");
        }
    }
}

Output:

 Password 1 -> aafd533eae0bafc1537749f1e9615ae66201f62f2386853e02ca0ec83fbc33c018b4afbdce682260de47e75abdca2d2c0191b6cd6c90b3f783def8204aac6ba5
 Password 2 -> aafd533eae0bafc1537749f1e9615ae66201f62f2386853e02ca0ec83fbc33c018b4afbdce682260de47e75abdca2d2c0191b6cd6c90b3f783def8204aac6ba5
passwords are equal

Notice that, both the passwords are equal because we are using the same salt for generating the same hashing password.

Let's understand the above example.

Java provides inbuilt MessageDigest class for SHA-512 hashing:

MessageDigest md = MessageDigest.getInstance("SHA-512");

Next, we will be creating a new instance for the SecureRandom class and the nextByte() method generates the random salt.

SecureRandom random = new SecureRandom();
byte[] salt = new byte[16];
random.nextBytes(salt);

We add salt to input using the update() method of MessageDigest:

md.update(salt);

Once we have added the salt we can generate the hashed password using the digest() method:

byte[] bytes = md.digest(password.getBytes(StandardCharsets.UTF_8));

Convert byte[] into a string as:

byte[] bytes = md.digest(password.getBytes(StandardCharsets.UTF_8));
StringBuilder sb = new StringBuilder();
for(int i=0; i< bytes.length ;i++)
{
 sb.append(Integer.toString((bytes[i] & 0xff) + 0x100, 16).substring(1));
}
generatedPassword = sb.toString();

Validate Password

While Storing the password

• Generate a long random salt using SecureRandom.
• Use the Hash function such as SHA256 to hash both Salt and Password together.
• Save both the Salt and the Hash separately in the database.

While Validating the password

• Retrieve the Salt and Hash from the database.
• Use the same Hash function (SHA256) which is used while generating the hash.
• Generate a new Hash with the new password provided and the Salt retrieved from the database.
• Now compare the new hash with the hash from the database. If they match, then the password provided is correct. Otherwise, the password is incorrect.

Have a look into the above example, we are using the same salt to generate the same hashing password and validation.

Conclusion

In this tutorial, we have seen how to generate salted password hashing (SHA-512 algorithm) with an example.

References

• https://en.wikipedia.org/wiki/SHA-2
• https://docs.oracle.com/javase/8/docs/api/java/security/SecureRandom.html.
• https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/security/MessageDigest.html