Good rule of thumb: If you need encryption, don't do it yourself. You'll get it wrong!
So far so good. I was looking at Jasypt for that reason. it claims to do all the complicated stuff for you, without you needing to understand it. It offers you a class with the trustworthy name StrongPasswordEncryptor:
Utility class for easily performing high-strength password digesting and checking.
Still I wanted to know more about what it does, before I trust my users passwords to it. As it claims in the API:
This class internally holds a StandardStringDigester configured this way:
- Algorithm: SHA-256.
- Salt size: 16 bytes.
- Iterations: 100000.
And that's were my basic knowledge on that topic tells me: That's not how you should do it!
In fact it looks to me like a naive approach. Take SHA, because MD5 is not secure any more, but better take one with a bigger number, because bigger is better there. But multiple bytes of salt in there and then run it lots of times to be harder to crack.
Why do I think that is bad? SHA is basically designed to be an elaborated kind of check digit. It is meant to be fast. That is the opposite of what you want of a password hashing algorithm. You want those to be cost expansive even on hardware designed to be fast on them. In fact there is a lot of discourse on the web who good bcrypt and PBKDF2 lack some important requirements and if scrpyt should be used instead. Look at these stackexchange questions to get an idea: https://security.stackexchange.com/questions/4781/do-any-security-experts-recommend-bcrypt-for-password-storage, SHA512 vs. Blowfish and Bcrypt
To give a quote from http://www.jasypt.org/howtoencryptuserpasswords.html
In most cases, both MD5 or SHA-1 will be adequate choices for password digesting, although applying these algorithms will not be enough, as we will see later on.
I'm passionally disagreeing in that point, because of the reasons above.
Am I missing something here, or is Jasypt really selling me a fundamentally flawed algorithm under the name StrongPasswordEncryptor? Because if it does, I don't want to trust that library with my most sensitive data.
I know, I could just decide to simply not use it, but because of my rule of thumb I mentioned at the beginning, I'd like to have my evaluation checked by people with understanding in password encryption.