> Looks like you'll have to store the salt when making the original hash of
> the password.  
>
> With that you can do
>
>
> | salt originalPassword userInputPassword originalHash  newHash secretKey
> |
> salt:='salt'.
> originalPassword:='password'.
> userInputPassword:='12345678'.
> originalHash:=PBKDF2 derivedKeySHA1Password: originalPassword salt: salt.
> newHash:=PBKDF2 derivedKeySHA1Password: userInputPassword salt: salt.
>
> secretKey:= SecureRandom new nextBytes: 16.
>
> ((SHA256 new hmac key: secretKey) digestMessage: originalHash) = ((SHA256
> new hmac key: secretKey) digestMessage: newHash).
>
>
>
> We do the double SHA256 HMAC signing of the hashes because of
> https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2011/february/double-hmac-verification/
>
> You can store the #secretKey and each user should get a new #salt every
> time they change their password and you shouldn't reuse the salts for
> other users or password.  
>
> For PBKDF2 there is probably a max (or recommended) salt length but I
> don't know it.  
>
> I also don't know anything about the SecureRandom class but it says it on
> the tin, so maybe it is.  Maybe not though.  I don't know how to find out.
> But I don't know that it matters in this instance as its only used for the
> SHA256 HMAC internally in the comparison function.
>
>
> Hope this helps.  
>
>
> Francis wrote
>> Hi folks
>>
>> I'm playing with the PBKDF2 package of Udo:
>> http://www.smalltalkhub.com/#!/~UdoSchneider/PBKDF2
>> (thanks Udo), but I can't find how to validate a stored hash.
>> Can you point me in the right direction?
>>
>> Thanks
>> Francis