Password Hashing

The safest way to store passwords in your application is not to store them at all. Instead create a virtual representation of the password in a form of a salted hash.


Standard security practices require that passwords cannot be stored in plain text. Unlike SSL encryption, a password does not need to be decrypted to be compared with some value; instead, a one-way computationally intensive virtual representation, or a hash, is created for that value with a hashing function.

Hashing function produces the same random string for the same phrase, making it vulnerable to dictionary attacks, so an additional random string, called a salt, is generated and fed into the hashing function to produce a truly unique value.

While verifying a user’s password, the stored salted hash is read. The stored hash itself contains the salt with which it was generated. Hashing function takes the same salt to generate a salted hash of the provided text value. The resulting hash is then compared to the original hash.

A great library to use for password hashing operations is Bcrypt. It is currently accepted as the standard in cryptographic algorithms.

Library Dependencies

Add the following line to build.sbt.

Hash Utility

Add a Hash utility to your project.

Code Example

Example: LineDrop Play/Scala Web Application - Hash Utility

Usage Examples

Hashing User's Password

See the complete example at LineDrop Play/Scala Web Application - User Model.

Validating User's Password against a Hash

Make sure that the password is sent over HTTPS.



Related Articles

Browse related articles