I need to store password digests within an Oracle8 table, with the password field mapped to a varChar(30 length) column. Can you suggest which MessageDigest(MD2, MD5 or SHA1) is more suitable? Also, how should I compare the input password and the original password digest that been stored in the database?

Created Sep 25, 2001

Eugene Kuleshov

I would like to recommend you to use SHA or MD5 because they are included into any JDK beginning from 1.1.x. If you need a comparsion of digest's hashing algorithms look at "The Hashing Function Lounge".

You can find example of using MessageDigest in JavaDoc for the MessageDigest class.

  MessageDigest md = MessageDigest.getInstance( "SHA");

  byte[] digest1 = md.update( thePasswordString.getBytes( encoding));

  byte[] digest2 = readDigestFromDB( userName);

  boolean isEqual = Arrays.equals( digest1, digest2);

Keep in mind that getting bytes from the Sring may not be safe for non English languages because of different encoding.