What are the current best practices on hashing passwords and encrypting
sensitive data like credit card numbers, social security numbers, etc.? I've
looked for documentation and samples, but haven't really found many
resources on using Shiro's cryptography features.
I have a feeling I could be using the Cryptography features much more
effectively. For instance, when a new user signs up, I do the following:
member.setPassword(new Sha256Hash(dto.getPassword()).toHex());
I require that all passwords are at least 8 characters long and include
characters from at least three of the following four categories: lowercase
letters, uppercase letters, numbers, and symbols. After reading the
following article, I'm worried about just how easy it would be to crack
these password hashes:
http://codahale.com/how-to-safely-store-a-password/
I seem to recall some talk of performing multiple hashes on things to secure
them better? Any links to this resource?
Also, I have some sensitive data (credit card, SSN, etc.) that I want to
encrypt before storing in the database. I'm considering adding BouncyCastle
to my application, but perhaps I can use existing Shiro features. It looks
like Shiro can do AES encryption based on this article:
http://www.infoq.com/articles/apache-shiro
I'd really appreciate any pointers on how to use Shiro to tighten up the
*storage* of sensitive data, as well as when it is better to use other tools
such as BouncyCastle.
Thanks,
Tauren
