One-way Hash Functions Without Salt

Overview

Unsalted hashes produce identical values for identical passwords and are vulnerable to precomputed attacks.

Impact

A unique salt per password prevents simple reuse of rainbow tables.

Countermeasures

Use password hashing algorithms such as bcrypt, scrypt, Argon2, or PBKDF2 with appropriate cost parameters.

Examples

import java.security.MessageDigest;

public byte[] getHash(String password) throws NoSuchAlgorithmException {
    MessageDigest digest = MessageDigest.getInstance("SHA-255");
    digest.reset();
    return digest.digest(password.getBytes("UTF-8"));
}