The salt is incorporated into the hash (encoded in a base64-style format).

For example, in traditional Unix passwords the salt was stored as the first two characters of the password. The remaining characters represented the hash value. The checker function knows this, and pulls the hash apart to get the salt back out.

If I have the following code:

    MyClass pClass = new MyClass();
    pClass.MyEvent += MyFunction;
    pClass = null;

Will pClass be garbage collected? Or will it hang around still firing its events whenever they occur? Will I need to do the following in order to allow garbage collection?

    MyClass pClass = new MyClass();
    pClass.MyEvent += MyFunction;
    pClass.MyEvent -= MyFunction;
    pClass = null;

Do event handlers stop garbage collection from occurring?

I want to use jQuery to parse RSS feeds. Can this be done with the base jQuery library out of the box or will I need to use a plugin?

Parse RSS with jQuery

[bCrypt&#39;s javadoc][1] has this code for how to encrypt a password:

    String pw_hash = BCrypt.hashpw(plain_password, BCrypt.gensalt()); 

To check whether a plaintext password matches one that has been hashed previously, use the checkpw method:

    if (BCrypt.checkpw(candidate_password, stored_hash))
        System.out.println(&quot;It matches&quot;);
    else
        System.out.println(&quot;It does not match&quot;);

These code snippets imply to me that the randomly generated salt is thrown away. Is this the case, or is this just a misleading code snippet?


  [1]: http://www.mindrot.org/files/jBCrypt/jBCrypt-0.2-doc/

Do I need to store the salt with bcrypt?

<a href="http://www.mindrot.org/files/jBCrypt/jBCrypt-0.2-doc/" target="_blank" rel="noopener noreferrer">bCrypt's javadoc</a> has this code for how to encrypt a password:
<pre><code class="hljs language-ini">String pw_hash = BCrypt.hashpw(plain_password, BCrypt.gensalt()); 
</code></pre>
To check whether a plaintext password matches one that has been hashed previously, use the checkpw method:
<pre><code class="hljs language-csharp">if (BCrypt.checkpw(candidate_password, stored_hash))
 System.out.println("It matches");
else
 System.out.println("It does not match");
</code></pre>
These code snippets imply to me that the randomly generated salt is thrown away. Is this the case, or is this just a misleading code snippet?

My schema specifies a namespace, but the documents don&#39;t. What&#39;s the simplest way to ignore namespace during JAXB unmarshalling (XML -&gt; object)?

In other words, I have

    &lt;foo&gt;&lt;bar&gt;&lt;/bar&gt;&lt;/foo&gt;

instead of,

    &lt;foo xmlns=&quot;http://tempuri.org/&quot;&gt;&lt;bar&gt;&lt;/bar&gt;&lt;/foo&gt;




JAXB: How to ignore namespace during unmarshalling XML document?

If you started a new Java EE project today which is to be finished in about a year, which application server would you choose and why?

Part of your answer should include your arguments for your decision. And also how much experience you have with the Java EE server you choose and with the other available servers on the market. These are interesting as we all get a sense of the investigation and thought that was put into your answer.

Would you, at present date, use JBoss or Glassfish (or another) as Java EE server for a new project?

Is it possible to use a DB sequence for some column that **is not the identifier/is not part of a composite identifier**? 

I&#39;m using hibernate as jpa provider, and I have a table that has some columns that are generated values (using a sequence), although they are not part of the identifier.

What I want is to use a sequence to create a new value for an entity, where the column for the sequence is **NOT** (part of) the primary key:

    @Entity
    @Table(name = &quot;MyTable&quot;)
    public class MyEntity {
    
        //...
        @Id //... etc
        public Long getId() {
            return id;
        }
        
       //note NO @Id here! but this doesn&#39;t work...
        @GeneratedValue(strategy = GenerationType.AUTO, generator = &quot;myGen&quot;)
        @SequenceGenerator(name = &quot;myGen&quot;, sequenceName = &quot;MY_SEQUENCE&quot;)
        @Column(name = &quot;SEQ_VAL&quot;, unique = false, nullable = false, insertable = true, updatable = true)
        public Long getMySequencedValue(){
          return myVal;
        }
    
    }

Then when I do this:

    em.persist(new MyEntity());

the id will be generated, but the `mySequenceVal` property will be also generated by my JPA provider.

Just to make things clear: I want **Hibernate** to generate the value for the `mySequencedValue` property. I know Hibernate can handle database-generated values, but I don&#39;t want to use a trigger or any other thing other than Hibernate itself to generate the value for my property. If Hibernate can generate values for primary keys, why can&#39;t it generate for a simple property?

Hibernate JPA Sequence (non-Id)

I have to read a binary file in a legacy format with Java. 

In a nutshell the file has a header consisting of several integers, bytes and fixed-length char arrays, followed by a list of records which also consist of integers and chars.

In any other language I would create `struct`s (C/C++) or `record`s (Pascal/Delphi) which  are byte-by-byte representations of the header and the record. Then I&#39;d read `sizeof(header)` bytes into a header variable and do the same for the records.

Something like this: (Delphi)

    type
      THeader = record
        Version: Integer;
        Type: Byte;
        BeginOfData: Integer;
        ID: array[0..15] of Char;
      end;

    ...

    procedure ReadData(S: TStream);
    var
      Header: THeader;
    begin
      S.ReadBuffer(Header, SizeOf(THeader));
      ...
    end;

What is the best way to do something similar with Java? Do I have to read every single value on its own or is there any other way to do this kind of &quot;block-read&quot;?

Best way to read structured binary files with Java

Using Maven 2, is there a way I can list out the jar dependencies as just the file names?

    mvn dependency:build-classpath 

can list the jar files, but that will include the full path to their location in my local repository. What I need is essentially just a list of the file names (or the file names that the copy-dependencies goal copied).

So the list I need would be something like

    activation-1.1.jar,antlr-2.7.6.jar,aopalliance-1.0.jar etc...

ideally as a maven property, but I guess, a file such as build-classpath can generate will do.

What I am trying to achieve is writing a `Bundle-ClassPath` to an otherwise manually maintained MANIFEST.MF file for a OSGi bundle. (You shouldn&#39;t need to understand this bit to answer the question.)

To clarify: The question is **not** about how to write manifest headers into the MANIFEST.MF file in a jar (that is easily googleble). I am asking about how to get the data I want to write, namely the list shown above.

List of dependency jar files in Maven

I&#39;ve **inherited** a web app that I&#39;ve just discovered stores over 300,000 usernames/passwords in plain text in a SQL Server database.  I realize that this is a Very Bad Thing™.

Knowing that I&#39;ll have to update the login and password update processes to encrypt/decrypt, and with the smallest impact on the rest of the system, what would you recommend as the best way to remove the plain text passwords from the database?

Any help is appreciated.

**Edit: Sorry if I was unclear, I meant to ask what would be your procedure to encrypt/hash the passwords, not specific encryption/hashing methods.**  

Should I just:

 1. Make a backup of the DB
 2. Update login/update password code
 3. After hours, go through all records in the users table hashing the password and replacing each one
 4. Test to ensure users can still login/update passwords

I guess my concern is more from the sheer number of users so I want to make sure I&#39;m doing this correctly.

Encrypting/Hashing plain text passwords in database

The current top-voted to [this question](https://stackoverflow.com/questions/325862/what-are-the-most-common-security-mistakes-programmers-make) states:

&gt; Another one that&#39;s not so much a security issue, although it is security-related, is complete and abject failure to **grok the difference between hashing a password and encrypting it**. Most commonly found in code where the programmer is trying to provide unsafe &quot;Remind me of my password&quot; functionality.

What exactly is this difference? I was always under the impression that hashing was a form of encryption. What is the unsafe functionality the poster is referring to?

Difference between Hashing a Password and Encrypting it

First of all, I&#39;m not looking for miracle... I know how PHP works and that there&#39;s not really way to hide my code from the clients without using encryption. But that comes with the cost of an extension to be installed on the running server.

I&#39;m looking for something different though... I&#39;m not looking to encrypt my code or even obfuscate it. There are many PHP scripts without encrypted/obfuscated code but they are commercial applications. For instance, vBulletin and/or IP.Board forum applications.

I just want to know what approach do these guys use for their applications...

I&#39;m also open to any other suggestions.

Please note that I&#39;m a single person and not working for a company. My product is also very specific, it won&#39;t sell that much. I just want you guys to know that I can&#39;t afford to consult a legal professional either to sue someone or prepare a commercial license. I&#39;m just looking for a simple way to protect my simple product, if it&#39;s indeed possible, somehow...

Best solution to protect PHP code without encryption

What is the difference between encrypting some data vs signing some data (using RSA)?  

Does it simply reverse the role of the public-private keys?  

For example, I want to use my private key to generate messages so only I can possibly be the sender.  I want my public key to be used to read the messages and I do not care who reads them.  I want to be able to encrypt certain information and use it as a product-key for my software.  I only care that I am the only one who can generate these.  I would like to include my public key in my software to decrypt/read the signature of the key.  I do not care who can read the data in the key, I only care that I am the only verifiable one who can generate them.

Is signing useful in this scenario?

What is the difference between encrypting and signing in asymmetric encryption?

I&#39;m trying to understand what the Java *java.security.Signature* class does. If I compute an SHA1 message digest, and then encrypt that digest using RSA, I get a different result to asking the *Signature* class to sign the same thing:

	// Generate new key
	KeyPair keyPair = KeyPairGenerator.getInstance(&quot;RSA&quot;).generateKeyPair();
	PrivateKey privateKey = keyPair.getPrivate();
	String plaintext = &quot;This is the message being signed&quot;;
	
	// Compute signature
	Signature instance = Signature.getInstance(&quot;SHA1withRSA&quot;);
	instance.initSign(privateKey);
	instance.update((plaintext).getBytes());
	byte[] signature = instance.sign();
	
	// Compute digest
	MessageDigest sha1 = MessageDigest.getInstance(&quot;SHA1&quot;);
	byte[] digest = sha1.digest((plaintext).getBytes());
	
	// Encrypt digest
	Cipher cipher = Cipher.getInstance(&quot;RSA&quot;);
	cipher.init(Cipher.ENCRYPT_MODE, privateKey);
	byte[] cipherText = cipher.doFinal(digest);
	
	// Display results
	System.out.println(&quot;Input data: &quot; + plaintext);
	System.out.println(&quot;Digest: &quot; + bytes2String(digest));
	System.out.println(&quot;Cipher text: &quot; + bytes2String(cipherText));
	System.out.println(&quot;Signature: &quot; + bytes2String(signature));

Results in (for example):

&gt;Input data: This is the message being signed  
&gt;Digest: 62b0a9ef15461c82766fb5bdaae9edbe4ac2e067  
&gt;Cipher text: 057dc0d2f7f54acc95d3cf5cba9f944619394711003bdd12...  
&gt;Signature: 7177c74bbbb871cc0af92e30d2808ebae146f25d3fd8ba1622...

I must have a fundamental misunderstanding of what *Signature* is doing - I&#39;ve traced through it, and it appears to be calling update on a *MessageDigest* object, with the algorithm set to SHA1 as I would expect, then getting the digest, then doing the encryption. What&#39;s making the results differ?

**EDIT:**

Leonidas made me check whether the signature scheme is supposed to do what I think it does. There are two types of signature defined in the [RFC][1]:

* [RSASSA-PKCS1-v1_5][2]
* [RSASSA-PSS][3]

The [first of these][2] (PKCS1) is the one I describe above. It uses a hash function to create a digest, and then encrypts the result with a private key.

The [second algorithm][3] uses a random salt value, and is more secure but non-deterministic. The signature produced from the code above does not change if the same key is used repeatedly, so I don&#39;t think it can be PSS.


  [1]: http://www.apps.ietf.org/rfc/rfc3447.html
  [2]: http://www.apps.ietf.org/rfc/rfc3447.html#sec-9.2
  [3]: http://www.apps.ietf.org/rfc/rfc3447.html#sec-9.1

**EDIT:**

Here&#39;s the `bytes2string` method I was using:

    private static String bytes2String(byte[] bytes) {
    	StringBuilder string = new StringBuilder();
    	for (byte b : bytes) {
    		String hexString = Integer.toHexString(0x00FF &amp; b);
    		string.append(hexString.length() == 1 ? &quot;0&quot; + hexString : hexString);
    	}
    	return string.toString();
    }

Using SHA1 and RSA with java.security.Signature vs. MessageDigest and Cipher

When connecting to a network share for which the current user (in my case, a network enabled service user) has no rights, name and password have to be provided.

I know how to do this with Win32 functions (the `WNet*` family from `mpr.dll`), but would like to do it with .Net (2.0) functionality.

What options are available?

**Maybe some more information helps:**

  - The use case is a windows service, not an Asp.Net application.
  - The service is running under an account which has no rights on the share.
  - The user account needed for the share is not known on the client side.
  - Client and server are not members of the same domain.

How to provide user name and password when connecting to a network share

Is hashing a password twice before storage any more or less secure than just hashing it once?

What I&#39;m talking about is doing this:

    $hashed_password = hash(hash($plaintext_password));

instead of just this:

    $hashed_password = hash($plaintext_password);

If it is less secure, can you provide a good explanation (or a link to one)?

Also, does the hash function used make a difference?  Does it make any difference if you mix md5 and sha1 (for example) instead of repeating the same hash function?

Note 1:  When I say &quot;double hashing&quot; I&#39;m talking about hashing a password twice in an attempt to make it more obscured.  I&#39;m not talking about the [technique for resolving collisions][1].

**Note 2:  I know I need to add a random salt to really make it secure.  The question is whether hashing twice with the same algorithm helps or hurts the hash.**


  [1]: http://en.wikipedia.org/wiki/Double_hashing

Is &quot;double hashing&quot; a password less secure than just hashing it once?

For example I can point the `url &#39;^/accounts/password/reset/$&#39;` to `django.contrib.auth.views.password_reset` with my template filename in the context but I think need to send more context details.

I need to  know exactly what context to add for each of the password reset and change views.


How do I use the built in password reset/change views with my own templates

I&#39;m having some trouble understanding the purpose of a salt to a password.  It&#39;s my understanding that the primary use is to hamper a rainbow table attack.  However, the methods I&#39;ve seen to implement this don&#39;t seem to really make the problem harder.

I&#39;ve seen many tutorials suggesting that the salt be used as the following:

    $hash =  md5($salt.$password)

The reasoning being that the hash now maps not to the original password, but a combination of the password and the salt.  But say `$salt=foo` and `$password=bar` and `$hash=3858f62230ac3c915f300c664312c63f`.  Now somebody with a rainbow table could reverse the hash and come up with the input &quot;foobar&quot;.  They could then try all combinations of passwords (f, fo, foo, ... oobar, obar, bar, ar, ar).  It might take a few more milliseconds to get the password, but not much else.

The other use I&#39;ve seen is on my linux system.  In the /etc/shadow the hashed passwords are actually stored *with* the salt.  For example, a salt of &quot;foo&quot; and password of &quot;bar&quot; would hash to this: `$1$foo$te5SBM.7C25fFDu6bIRbX1`.  If a hacker somehow were able to get his hands on this file, I don&#39;t see what purpose the salt serves, since the reverse hash of `te5SBM.7C25fFDu6bIRbX` is known to contain &quot;foo&quot;.

Thanks for any light anybody can shed on this.

**EDIT**:  Thanks for the help.  To summarize what I understand, the salt makes the hashed password more complex, thus making it much less likely to exist in a precomputed rainbow table.  What I misunderstood before was that I was assuming a rainbow table existed for ALL hashes.

How does password salt help against a rainbow table attack?

I&#39;ve always been curious... Which is better when salting a password for hashing: prefix, or postfix? Why? Or does it matter, so long as you salt?

To explain: We all (hopefully) know by now that we should [salt][1] a password before we hash it for storage in the database [**Edit:** So you can avoid things like [what happened to Jeff Atwood recently][2]]. Typically this is done by concatenating the salt with the password before passing it through the hashing algorithm. But the examples vary... Some examples prepend the salt before the password. Some examples add the salt *after* the password. I&#39;ve even seen some that try to put the salt in the middle. 

So which is the better method, and why? Is there a method that decreases the chance of a hash collision? My Googling hasn&#39;t turned up a decent analysis on the subject. 

**Edit:** Great answers folks! I&#39;m sorry I could only pick one answer. :)


  [1]: http://en.wikipedia.org/wiki/Salt_(cryptography)
  [2]: http://blog.codinghorror.com/i-just-logged-in-as-you-how-it-happened/

Salting Your Password: Best Practices?

I&#39;ve always used a proper per-entry salt string when hashing passwords for database storage. For my needs, storing the salt in the DB next to the hashed password has always worked fine. 

However, some people recommend that the salt be stored separately from the database. Their argument is that if the database is compromised, an attacker can still build a rainbow table taking a particular salt string into account in order to crack one account at a time. If this account has admin privileges, then he may not even need to crack any others.

From a security perspective, is it worth it to store salts in a different place? Consider a web application with the server code and DB on the same machine. If the salts are stored in a flat file on that machine, chances are that if the database is compromised, the salts file will be, too. 

Are there any recommended solutions to this?

Where do you store your salt strings?

How much more safe is this than plain [MD5][1]? I&#39;ve just started looking into password security. I&#39;m pretty new to PHP.

    $salt = &#39;csdnfgksdgojnmfnb&#39;;

    $password = md5($salt.$_POST[&#39;password&#39;]);
    $result = mysql_query(&quot;SELECT id FROM users
                           WHERE username = &#39;&quot;.mysql_real_escape_string($_POST[&#39;username&#39;]).&quot;&#39;
                           AND password = &#39;$password&#39;&quot;);

    if (mysql_num_rows($result) &lt; 1) {
        /* Access denied */
        echo &quot;The username or password you entered is incorrect.&quot;;
    } 
    else {
        $_SESSION[&#39;id&#39;] = mysql_result($result, 0, &#39;id&#39;);
        #header(&quot;Location: ./&quot;);
        echo &quot;Hello $_SESSION[id]!&quot;;
    }

  [1]: http://en.wikipedia.org/wiki/MD5


How can I store my users&#39; passwords safely?

As I understand it, the best practice for generating salts is to use some cryptic formula (or even magic constant) stored in your source code.

I&#39;m working on a project that we plan on releasing as open source, but the problem is that with the source comes the secret formula for generating salts, and therefore the ability to run rainbow table attacks on our site.

I figure that lots of people have contemplated this problem before me, and I&#39;m wondering what the best practice is. It seems to me that there is no point having a salt at all if the code is open source, because salts can be easily reverse-engineered.

Thoughts?

Salt Generation and open source software

I have read that when hashing a password, many programmers recommend using the BCrypt algorithm. 

I am programming in C# and is wondering if anyone knows of a good implementation for BCrypt? I found [this page][1], but I don&#39;t really know if it is bogus or not. 

What should I be aware of when choosing a password hashing scheme? Is BCrypt a &#39;good&#39; implementation?

  [1]: http://derekslager.com/blog/posts/2007/10/bcrypt-dotnet-strong-password-hashing-for-dotnet-and-mono.ashx

Is BCrypt a good hashing algorithm to use in C#? Where can I find it?

Does anyone know of a good implementation of bcrypt, I know this question has been asked before but it got very little response.   I&#39;m a bit unsure of just picking an implementation that turns up in google and am thinking that I may be better off using sha256 in the System.Security.Cryptography namespace, at least then I know it&#39;s supported!  What are you thoughts?

.net implementation of bcrypt

I&#39;m looking at ways to securely store passwords. Some people claim that scrypt is &quot;better&quot; than bcrypt, and so far I&#39;ve seen nobody who claims vice versa or that scrypt is insecure, though some call bcrypt &quot;more reputable&quot;.

What&#39;s the advantage of scrypt over bcrypt? According to the scrypt website, &quot;the cost of a hardware brute-force attack against scrypt is roughly 4000 times greater than the cost of a similar attack against bcrypt&quot;. If that&#39;s the only advantage then can&#39;t I just use bcrypt with a larger number of rounds?

What&#39;s the advantage of scrypt over bcrypt?

What would be an ideal bcrypt work factor for password hashing.

If I use a factor of 10, it takes approx .1s to hash a password on my laptop. If we end up with a very busy site, that turns into a good deal of work just checking people&#39;s passwords.

Perhaps it would be better to use a work factor of 7, reducing the total password hash work to about .01s per laptop-login?

How do you decide the tradeoff between brute force safety and operational cost?

Optimal bcrypt work factor

Every now and then I hear the advice &quot;Use bcrypt for storing passwords in PHP, bcrypt rules&quot;.

But what is `bcrypt`? PHP doesn&#39;t offer any such functions, Wikipedia babbles about a file-encryption utility and Web searches just reveal a few implementations of [Blowfish][1] in different languages. Now Blowfish is also available in PHP via `mcrypt`, but how does that help with storing passwords? Blowfish is a general purpose cipher, it works two ways. If it could be encrypted, it can be decrypted. Passwords need a one-way hashing function.

What is the explanation?

  [1]: http://en.wikipedia.org/wiki/Blowfish_%28cipher%29


Content Type	Original Author	Original Content on Stackoverflow
Question	RodeoClown	View Question on Stackoverflow
Solution 1 - Java	Greg Hewgill	View Answer on Stackoverflow

Do I need to store the salt with bcrypt?

Java Problem Overview

Java Solutions

Solution 1 - Java

Parse RSS with jQuery

Do event handlers stop garbage collection from occurring?

Attributions