SHA-1 and MD5 algorithms have been known to be compromised. Also, if you want the safest password hash, you'll want to use a salt and multiple hash iterations (I do this on all of my applications):
- use a SHA-256, SHA-384 or SHA-512 hash - definitely use a salt. I always use a randomly generated salt since most user-based salts can be guessed or are susceptible to dictionary attacks (e.g. a username is not a great salt) - use multiple hash iterations. While this doesn't increase the security beyond the hash algorithm and salt, it does add computation time. This is good because if it increases the login time by only a quarter or half a second, while unnoticeable to a legitimate end-user, it _significantly_ slows things down for an attacker trying multiple values. See this article for more: http://www.owasp.org/index.php/Hashing_Java In my apps, I do this: ByteSource salt = generateRandomSalt(); String passwordHash = new Sha512Hash(plainTextPassword, salt.getBytes(), 1024).toBase64(); The User object has the following 2 fields in addition to other user data: String passwordHash; //equals the above 'passwordHash' value String base64Salt; //equals salt.toBase64() value the 'generateRandomSalt' method implementation is as follows: private ByteSource generateRandomSalt() { byte[] saltBytes = new byte[128] java.security.SecureRandom.getInstance("SHA1PRNG").nextBytes(saltBytes) return new SimpleByteSource(saltBytes); } You can determine password equality by doing the following (where 'username' is the user-specified username and 'password' is the user-specified plain-text password): User user = getUserByUsername(username); byte[] saltBytes = Base64.decode(user.getBase64Salt()); String passwordHash = new Sha512Hash(password, saltBytes, 1024).toBase64(); if (user.getPasswordHash().equals(passwordHash)) { //login successful } else { //incorrect password } HTH, Les On Mon, Jun 14, 2010 at 11:22 PM, Fernando Wermus <[email protected]> wrote: > Kalle, > Reading > http://sacharya.com/facebook-connect-with-jsecurity-on-grails/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+sacharya+(Sudarshan+Acharya)&utm_content=Google+Reader > I got that I should be enoguh to define the password as > new Sha1Hash("randompassword").toHex() > > Is it true? Is it safe? > > On Tue, Jun 15, 2010 at 2:51 AM, Kalle Korhonen <[email protected]> > wrote: >> >> Roughly, you'd: >> 1) create an Oauth redirect page and extract the Oauth token from the >> response >> 2) call Subject.login with the authentication token as the credential >> 3) Implement another custom realm where you validate the Oauth for >> example by fetching "me" data with the given credentials (plus any >> other mixed local/federated security checks you might want to have >> such as accountLocked etc.) >> >> You can and should have multiple realms with Shiro, I'd leave the code >> below as is for authenticating against your local database. >> >> Kalle >> >> >> On Mon, Jun 14, 2010 at 10:24 PM, Fernando Wermus >> <[email protected]> wrote: >> > Hi all, >> > Some users could authenticate through facebook or stand alone mode. >> > So, >> > I need to reimplement the following method >> > @Override >> > protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken >> > authcToken) throws AuthenticationException { >> > UsernamePasswordToken token = (UsernamePasswordToken) >> > authcToken; >> > UsuarioDAO usuarioDAO=new UsuarioDAO(); >> > Usuario user = usuarioDAO.buscarPorMail(token.getUsername()); >> > >> > if( user != null ) { >> > return new SimpleAuthenticationInfo(user.getEmail(), >> > user.getClave(), "realmA"); >> > } else { >> > return null; >> > } >> > } >> > As I don't have anything similar to a password in a facebook >> > authentication >> > - I don't know the password and I don't know anything that can work >> > similarly. >> > How can I incorporate facebook authentication to my shiro >> > implementation? >> > Any help would be appreciate it. >> > My implementation is wicket-shiro impl. >> > Thanks in advance. >> > >> > -- >> > Fernando Wermus. >> > >> > www.linkedin.com/in/fernandowermus >> > > > > > -- > Fernando Wermus. > > www.linkedin.com/in/fernandowermus >
