Package com.oorian.security

Class Pbkdf2Hasher

java.lang.Object
com.oorian.security.Pbkdf2Hasher
All Implemented Interfaces:
PasswordHasher
public class Pbkdf2Hasher extends Object implements PasswordHasher
PBKDF2-HMAC-SHA256 implementation of PasswordHasher.

This implementation uses the JDK built-in PBKDF2WithHmacSHA256 algorithm, requiring no external dependencies. It is a suitable alternative when bcrypt dependencies are not available or when FIPS compliance is required.

The hash output format is:

PBKDF2:iterations:salt:hash

Where salt and hash are Base64-encoded.

Usage:


 // Default iterations (210,000)
 PasswordHasher hasher = new Pbkdf2Hasher();

 // Custom iterations
 PasswordHasher hasher = new Pbkdf2Hasher(310000);

 String hash = hasher.hash("myPassword123");
 boolean valid = hasher.verify("myPassword123", hash);
Since:
2.1
Version:
1.0
Author:
Marvin P. Warble Jr.
See Also:

  • Field Summary

    Fields
    Modifier and Type
    Field
    Description
    static final int
    DEFAULT_ITERATIONS
    Default number of PBKDF2 iterations (OWASP 2023 recommendation for SHA-256).
    static final int
    MIN_ITERATIONS
    Minimum allowed iterations.

  • Constructor Summary

    Constructors
    Constructor
    Description
    Pbkdf2Hasher()
    Creates a Pbkdf2Hasher with the default iteration count of 210,000.
    Pbkdf2Hasher(int iterations)
    Creates a Pbkdf2Hasher with the specified iteration count.

  • Method Summary

    Modifier and Type
    Method
    Description
    int
    getIterations()
    Returns the iteration count used by this hasher.
    String
    hash(String password)
    Hashes a plaintext password.
    boolean
    verify(String password, String hash)
    Verifies a plaintext password against a previously hashed value.

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Field Details

    • DEFAULT_ITERATIONS

      public static final int DEFAULT_ITERATIONS
      Default number of PBKDF2 iterations (OWASP 2023 recommendation for SHA-256).
      See Also:

    • MIN_ITERATIONS

      public static final int MIN_ITERATIONS
      Minimum allowed iterations.
      See Also:

  • Constructor Details

    • Pbkdf2Hasher

      public Pbkdf2Hasher()
      Creates a Pbkdf2Hasher with the default iteration count of 210,000.

    • Pbkdf2Hasher

      public Pbkdf2Hasher(int iterations)
      Creates a Pbkdf2Hasher with the specified iteration count.
      Parameters:
      iterations - the number of PBKDF2 iterations (minimum 10,000)
      Throws:
      IllegalArgumentException - if iterations is below the minimum

  • Method Details

    • hash

      public String hash(String password)
      Hashes a plaintext password.

      Implementations must generate a cryptographically random salt and include it in the returned hash string so that PasswordHasher.verify(String, String) can extract it for comparison.

      Specified by:
      hash in interface PasswordHasher
      Parameters:
      password - the plaintext password to hash
      Returns:
      the hashed password string (includes salt and algorithm parameters)

    • verify

      public boolean verify(String password, String hash)
      Verifies a plaintext password against a previously hashed value.

      Implementations must use constant-time comparison to prevent timing attacks.

      Uses constant-time comparison via MessageDigest.isEqual(byte[], byte[]) to prevent timing attacks.

      Specified by:
      verify in interface PasswordHasher
      Parameters:
      password - the plaintext password to verify
      hash - the previously hashed password to compare against
      Returns:
      true if the password matches the hash, false otherwise

    • getIterations

      public int getIterations()
      Returns the iteration count used by this hasher.
      Returns:
      the number of PBKDF2 iterations