I'm creating a hash from a given password in Java and storing that into a MySQL database. I've read a lot about storing a salt in the database but there are a couple reasons I've chosen not to here. There seems to be no way to completely hide a random salt specific to each user from Hacker and there's no way to hide that I have a hosted database and downloadable software. Because this software is only used in house it has at most 20 users and Hacker is far more likely to stumble upon the database port than he is the software. At least by generating the salt in the software instead of storing it in the database, he'll need to find the software to decompile and determine the salt/hash method.
Here's the mothod I'm using:
public static byte[] getHash(String password) throws NoSuchAlgorithmException {
MessageDigest digest = MessageDigest.getInstance("SHA-256");
byte[] passBytes = password.getBytes();
byte[] salt = digest.digest(passBytes);
byte[] digestable = new byte[passBytes.length + salt.length];
System.arraycopy(passBytes, 0, digestable, 0, passBytes.length);
System.arraycopy(salt, 0, digestable, passBytes.length, salt.length);
return digest.digest(digestable);
}
EDIT: Precident for putting this here
I see that I need to generate a random salt and I can store it now.
No, the only acceptable password hashing methods are bcrypt, scrypt, and PBKDF2.
SHA-256 is too fast. You want a slow hashing method, like the above.
If you main security threat is SQL injection, then you should pepper the passwords. This means HMAC-ing the password with a secret known by the web server, but not the database server. See https://blog.mozilla.org/webdev/2012/06/08/lets-talk-about-password-storage.
You should also deny user/password table access to your web server, and have a very simple stored procedure api for authentication.