On Thu, Mar 14, 2013 at 10:10 AM, NabbleReallySucks <[email protected]> wrote: > Yeah, I ended up going with the PasswordService and matcher. > > But I still think a brute force would still work. If I have a user's > encrypted password. Couldn't I take Shiro's Matcher class run a Dictionary > attack calling the matcher for each word, then if the matcher returns true, > then we know we just found out their password.
This is not possible with Shiro's default PasswordService configuration. It uses securely randomly generated salts every time a new hash is computed. This prevents dictionary attacks. Best, Les
