You can't inspect the hashed/salted/iterated output and figure out what the raw password is, even if it is 'password'. I think Mike was stating that you could try to take the hashed output, put it in a program (that knows how to hash things like Shiro), and start trying random values (like 'password').
But for this to happen, the attacker needs to 1) compromise your data store and pull out all the hashed values, 2) know how to replicate the hashing algorithm that Shiro uses, and 3) set up a test harness that allows them to enter in random values. This is all pretty difficult to do, but not impossible, and that's why the iteration (or 'complexity factor') component of hashing exists. Even if an attacker were able to do all 3 of these things, it would take them an exponentially long amount of time to brute force compared to if no complexity factor existed. HTH, -- Les Hazlewood | @lhazlewood CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282 On Thu, Apr 18, 2013 at 9:21 AM, NabbleSometimesSucks < [email protected]> wrote: > drmike01. Sorry for so late in seeing this. > > Are you sure??? > > That would be scary considering that the hash and the iterations is > supposed > to make it impossible for the dictionary attack to easily figure out > password of password. > > If that is true then there is no reason to even encrypt it at all. the > difference between in plain text and this encryption then would be just > making it not readable to the visible eye. > > The whole purpose of Shiro's encryption here with SHA-128 or SHA-256 is > that > dictionary attacks would take a really long time, and that even if they > figured one password out, that same "key" won't work on other accounts. > > Thanks > > Mark > > > > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/Encrypted-password-in-db-why-does-it-tell-the-Hash-and-iterations-in-it-tp7578510p7578619.html > Sent from the Shiro User mailing list archive at Nabble.com. >
