If you specify the use of a private salt, or set the option to use a public salt, you will have something similar in your database:
$shiro1$SHA-512$475494$w9b57Sqavc3YfrxfUpjtWg==$+Wc4fFL+ZnrjrxCGNIRP5fsIYJqc1X8Vj7IInxntrIi0bGjJ4RMJt80Crqeh5RFwt5qgy/seD19IqlriuwWzLg== Thus you can see the hashing algorithm used as well as the number of iterations. And in this instance there is the addition of the public salt (w9b57Sqavc3YfrxfUpjtWg== in the example above). This public salt is different for every password entry in the database, thus it would hinder any pre-computed rainbow table attack on the passwords. Additionally, there is a private salt used which you can set within your Shiro configuration. This means that even if someone walks off with your database, they still will not be able to "decrypt" the passwords. In your example (with no salt), it might be possible to get the password in an unencrypted form by just hashing lots of plain text passwords using the parameters you define, yes. A pre-computed rainbow table could be used in this scenario. But that is why it is recommended that salting of passwords is carried out. -- View this message in context: http://shiro-user.582556.n2.nabble.com/Encrypted-password-in-db-why-does-it-tell-the-Hash-and-iterations-in-it-tp7578510p7578622.html Sent from the Shiro User mailing list archive at Nabble.com.
