Which is the recommended library for hashing passwords in Ko kotlinlang #ktor

Channels

fluid-libraries

jhipster-kotlin

effectivekotlin

effective-kotlin

android-architecture

algolialibraries

stayhungrystayfoolish

pattern-matching

kotlin-data-storage

skia-wasm-interop-temp

squarelibraries

beepiz-libraries

cscenter-course-2016

kotlin-foundation

compose-android

lambdaworld_cadiz

kotlin-pakistan

java-to-kotlin-refactoring

event21-community-content

fb-internal-demo

kotlinprogrammers

kotlinx-datetime

framework-elide

github-workflows-kt

library-development

arrow-contributors

spring-security

pocketgitclient

domain-driven-design

swiss-user-group

refactoring-to-kotlin

ohio-kotlin-users

introduce-yourself

kotlin-by-example

kotlin-multiplatform-contest

graviton-browser

tricity-kotlin-user-group

kotlin-in-action

android-databinding

kotlintest-devs

cincinnati-user-group

codemash-precompiler

kotlingforbeginners

prozis-android-backup

realworldkotlin

connect-audit-events

russian-kotlinasfirst

androidgithubprojects

intellij-tricks

machinelearningbawas

swagger-gradle-codegen

100daysofkotlin

competitive-programming

compose-ui-showcase

androidx-xprocessing

navigation-architecture-component

strife-discord-lib

embedded-kotlin

image-processing

myndocs-oauth2-server

leedskotlinusergroup

kotest-contributors

practical-functional-programming

kotlinultimatechallenge

k2-early-adopters

kotlinforbeginners

compose-desktop

competitivecoding

100daysofkotlin-2021

refreshversions

language-evolution

jvm-ir-backend-feedback

python-contributors

codingconventions

sofl-user-group

getting-started

language-proposals

intellij-plugins

Title

# ktor

n

Nathan Kleinschmidt

04/14/2022, 3:04 PM

Which is the recommended library for hashing passwords in Kotlin/Ktor? E.g. bcrypt does not appear to have an official Kotlin library.

n

nschulzke

04/14/2022, 3:19 PM

If you're running your server on the JVM, you can (and probably should) just use the Java standard library. An example with PBKDF2: https://www.baeldung.com/java-password-hashing

Any Kotlin-specific library is going to be less mature than the Java standard library equivalent, which matters a lot for anything cryptographic.

n

Nathan Kleinschmidt

04/14/2022, 3:29 PM

I haven’t used PBKDF2 before - looks like it’s similar to BCrypt, with salts. Are you using the Spring Security library?

n

nschulzke

04/14/2022, 5:38 PM

You could do that and it would be a very safe bet, but I'm not.

r

Robert Menke

04/14/2022, 7:18 PM

PBKDF2 is NOT similar to bcrypt. PBKDF = password based key derivation function. You are using a password to derive a key. This is not even remotely the same as bcrypt, which is a hashing algorithm with an associated cost that helps prevent someone from using brute force to crack passwords on your system.

n

nschulzke

04/14/2022, 8:02 PM

Many people do use pbkdf2 to hash passwords to prevent brute force attacks on a leaked database, and as near as I can tell this use is still blessed by NIST. BCrypt is better at resisting such attacks because attackers can't use GPUs as easily, and it is probably the correct choice going forward, but comparing the two is not comparing apples to oranges. They're both widely used for the same purpose: hashing passwords to slow down brute force attacks.

h

hfhbd

04/14/2022, 9:12 PM

I would just use BCrypt with the spring-security-crypto, simple, secure and widely used.

👍 1

426 Views