Colleagues, Denis,

It will be great to use bcrypt for password hashing in Ignite.
Could you suggest the right way to use bcrypt:
1. add 'jbcrypt' maven dependency;
2. include the single '' file to our project [1].

Does the license allow to include '' ?


On 18.01.2018 13:50, Taras Ledkov wrote:

Password hashing algorithms of the popular vendors:

mysql: SHA-265, old-native-hash
postgres: MD5, DES, Extended DES, Blowfish-based
oracle: SHA-1

Some about "comparison" SHA-2 vs bcrypt [1]:

> SHA-512 is a cryptographic hash while bcrypt is a password hash or PBKDF (password based key derivation function).

> SHA-512 has been designed to be fast. You don't want any delays when validating a signature, for instance.
> There is no reason for generic cryptographic hashes to be slow.

> bcrypt on the other hand is a password hash that performs key strengthening on the input. > Basically it does this by slowing down the calculation so that attackers will have to spend > more resources to find the input by brute forcing or dictionary attacks. > The idea is that although the legit users - you in this case - will also be slowed down, > they are only slowed down once per password. However the attackers are slowed down for each try. > The legit user is of course much more likely to input the right password first.

> Furthermore bcrypt also contains a salt as input, which can be used to avert rainbow table attacks.

Conclusion: bcrypt can provide more security but the popular vendors use SHA and even MD5 by default.


On 18.01.2018 9:29, Vladimir Ozerov wrote:

I think we need a comparison of available options and (possibly) analysis
what other vendors use.

On Tue, Jan 16, 2018 at 3:56 PM, Taras Ledkov<>  wrote:

What do you think about usage bcrypt [1], [2] to store encrypted password?


On 15.01.2018 11:19, Vladimir Ozerov wrote:

2) Credentials will be stored in a form of [username + hash] [1]

Taras Ledkov

Taras Ledkov

Taras Ledkov

Reply via email to