Yeah, I ended up going with the PasswordService and matcher. But I still think a brute force would still work. If I have a user's encrypted password. Couldn't I take Shiro's Matcher class run a Dictionary attack calling the matcher for each word, then if the matcher returns true, then we know we just found out their password.
Now, granted that does require access to the encrypted user's password, and that that particular user has a bad password. Which unfortunately, in our world occurs way too easy. ;) Thanks Les Mark -- View this message in context: http://shiro-user.582556.n2.nabble.com/Question-on-hashing-and-cryptography-Not-able-to-login-tp7578370p7578392.html Sent from the Shiro User mailing list archive at Nabble.com.
