Basic Password Hashing Grails

I am currently playing around with Grails, and I am making a basic login and session system (just for fun).

I currently have a form on a webpage that reads a username and password and sends them into a controller. This is currently what the code in the controller looks like:

def login = { String inputPassword = params.password if(params.username == "admin" && inputPassword == "changeme"){ flash.message = "login succeed"; session.user = "admin" } else{ flash.message = "login failed" } redirect(action: 'index') } def logout = { session.user = null redirect(action: 'index') }

Now, I know it is a bad idea to store passwords in raw text, so I would like to play around with hashing the password.

I would assume this block of code that takes the input from the password field and assigns it to the variable inputPassword:

String inputPassword = params.password

Can be changed to look something like this with some sort of API:

String inputPassword = aHashOf(params.password)

and the check step can look like this:

if(params.username == "admin" && inputPassword == (whatever the final hash looks like) )

Is there an API or built in function that can help me with this? Am I trying to go around this the wrong way? Any suggestions?

Also, later, when I learn to use databases, can this process be easily changed to use database values?

-------------Problems Reply------------

Although it seems reasonable to implement something like this by yourself to learn the basics of how authentication & authorization works, for real use-cases is seems more realistic to use a framework / library for this.

In the Java/Spring world (where grails is a part of) there has been spring-security with its grails plugin spring-security-core as well as apache shiro. The docs of the plugin should give you a good starting point how to use the api of spring security.

Category:grails Views:1 Time:2018-04-14

Related post

  • Non-random salt for password hashes 2009-02-11

    UPDATE: I recently learned from this question that in the entire discussion below, I (and I am sure others did too) was a bit confusing: What I keep calling a rainbow table, is in fact called a hash table. Rainbow tables are more complex creatures, a

  • How do I convert password hashing from MD5 to SHA? 2009-09-04

    I've got an old application that has user passwords stored in the database with an MD5 hash. I'd like to replace this with something in the SHA-2 family. I've thought of two possible ways to accomplish this, but both seem rather clunky. 1) Add a bool

  • Is there a standard for using PBKDF2 as a password hash? 2009-09-24

    Join me in the fight against weak password hashes. A PBKDF2 password hash should contain the salt, the number of iterations, and the hash itself so it's possible to verify later. Is there a standard format, like RFC2307's {SSHA}, for PBKDF2 password

  • Can someone explain how to do password hashing + salting 2011-07-31

    I've read on SO (and from other websites found on Google after I tried to look into it a little bit more) that the correct secure way to store passwords in a database is to store the hashed + salted value of a password. On top of that, the salt shoul

  • how to get same password hash(md5()) as phpbb3 2011-12-11

    i have on my page phpbb3 and now I am also starting some advertisementing... So basicly want to have a form where i fill a username and password, then I want the script to hash and md5 the password (the same way as my phpbb3 does) and compare the pas

  • Does salt need to be random to secure a password hash? 2012-02-08

    I know very little about security (I need to find a basic explanation of the basics) and am trying to come up with a reasonable way to store user passwords in a database using .Net. Here's my current solution: private static byte[] HashPassword(strin

  • Is there an overall advantage to using a global secret key in addition to random item-level salts with bcrypt password hashing? 2012-04-24

    I use bcrypt for password hashing in php 5.3+ I understand that bcrypt uses a random salt that gets built into the resulting hash per item. This makes cracking each hash difficult, and prevents cracking What I don't know is whether there still exists

  • Reset SAM password hashes 2014-01-06

    Hello. I handle very important files at work, and I've noticed someone is resetting my login password into Windows. To me, this is a high security attack, and I'm pretty sure someone is using a program (like those found in packages like Hiren's Boot

  • Reimplement ASP.NET Membership and User Password Hashing in Ruby 2009-02-09

    I have a large database of users (~200,000) that I'm transferring from a ASP.NET application to a Ruby on Rails application. I don't really want to ask every user to reset their password and so I'm trying to re-implement the C# password hashing funct

  • How do I replace the cakephp password hashing algorithm? 2009-02-21

    I have an existing database I'm trying to put a cake app on top of. The old app used crypt() in Perl to hash the passwords. I need to do the same in the PHP app. Where is the correct place to make that change in a standard cakephp app? And what would

  • Does the hash algorithm used for password hashing affect rainbow table generation? 2009-03-30

    re question non-random-salt-for-password-hashes Mr Potato Head states that the use of md5 instead of SHA-512 makes generating rainbow tables easier? I'd have thought that once your rainbow table is generated that the algorithm used is irrelevant? It

  • Password hash and salting - is this a good method? 2009-05-12

    I was doing a little research or googling for different methods of handling password hashing and salting and came across this interesting link: Now, essentially what this proposes is the creation of two user functions, one for ha

  • Password hashing, salt and storage of hashed values 2009-07-27

    Suppose you were at liberty to decide how hashed passwords were to be stored in a DBMS. Are there obvious weaknesses in a scheme like this one? To create the hash value stored in the DBMS, take: A value that is unique to the DBMS server instance as p

  • How would you add salt to your existing password hashes? 2009-07-29

    I have a database of hashed passwords that had no salt added before they were hashed. I want to add salt to new passwords. Obviously I can't re-hash the existing ones. How would you migrate to a new hashing system? --------------Solutions------------

  • Password hashing at client browser 2009-11-21

    What's the best way to hash the user password at the client browser, before sending it to the web server, so that only the hash goes out, not the plain-text password? EDIT: assuming HTTP is used (not HTTPS) --------------Solutions------------- Use ja

  • Secure Password Hashing 2009-12-03

    I need to store a hash of a single password in a .Net WinForms application. What's the most secure way to do this? In particular: Salt, HMAC, or both? How much salt? How many iterations? What encoding? (The password is plain ASCII) I assume that the

  • Mysql password hashing method old vs new 2009-12-12

    I'm trying to connect to a mysql server at dreamhost from a php scrip located in a server at slicehost (two different hosting companies). I need to do this so I can transfer new data at slicehost to dreamhost. Using a dump is not an option because th

  • How should I incorporate the salt in my password hash? 2010-01-11

    How much stronger would return sha1($salt.sha1($passwd)); be compared to just: return sha1($salt.$passwd); $salt is a per-user string of length 12 consisting of strong random ASCII. --------------Solutions------------- It's exactly twice as strong, b

  • How does wordpress password hash work? 2010-01-16

    I need to integrate a Django system with a Wordpress site, as in wordpress users should be able to log in the DJnago part and vice versa, For this I need to understand how the password hashing works in Wordpress. I can see the wp_users table which st

  • Is it safe to store passwords hashed with MD5CryptoServiceProvider in C#? 2010-02-24

    We are storing hashed passwords in a database table. We prepend each password with a random salt value and hash using MD5CryptoServiceProvider. Is this safe? I have heard MD5 was "broken". If not, can you recommend an alternate hash method to use (sp

  • Compare password hashes between C# and ColdFusion (CFMX_COMPAT) 2010-04-26

    I have a password hash that is stored in a table and is put there by the following coldfusion script- #Hash(Encrypt(Form.UserPassword,GetSiteVars.EnCode))# I am trying to add some outside functionality within a c# application. I would like to be able

  • How can I store a salted password hash if I have only one database column? 2010-05-12

    I've read a number of SO questions on this topic, but grokking the applied practice of storing a salted hash of a password eludes me. Let's start with some ground rules: a password, "foobar12" (we are not discussing the strength of the password). a l

  • Can you figure out the password hashing scheme? 2010-06-07

    I have two passwords and two resulting hashes. I can't figure out how the hash is derived from the password. I don't know if salting is used. I don't know if the password is hashed as a integer value or as a string (possibly Unicode). Password: 6770

  • Password hashing (non-SSL) 2010-08-11

    How is the password sent from browser to server in case of non-ssl transfer? I want to use bcrypt to hash password+salt before sending.... but it seems there is no javascript implementation for the bcrypt algorithm... is md5, SHA-1 good enough? PS: M

Copyright (C), All Rights Reserved.

processed in 0.194 (s). 11 q(s)