Hi Bauke, You'll want to use the new PasswordMatcher and PasswordService introduced in Shiro 1.2 - this has two benefits:
1. It is easier to use than worrying about Hash implementations yourself. 2. Configuration changes are backwards compatible for logins. For example: - configure the PasswordService to use SHA-256 - use the PasswordService to hash a password for Account A and save it in the DB. - change the PasswordService config to now use SHA-512 A login attempt will still be possible for Account A even though new passwords are hashed with SHA-512. The PasswordService knows how to perform password comparisons for older hashes that may not reflect the current configuration. This is important for most applications so you don't have to force all users to upgrade their passwords in case you wanted to configure a stronger password policy. Usage for your app and a shiro.ini realm config example is documented in the PasswordService JavaDoc: http://shiro.apache.org/static/1.2.1/apidocs/org/apache/shiro/authc/credential/PasswordService.html -- Les Hazlewood | @lhazlewood CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282 Stormpath wins GigaOM Structure Launchpad Award! http://bit.ly/MvZkMk
