Nope, nothing to add. Nice summary Luke :) -- Les Hazlewood | @lhazlewood CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
On Thu, Jan 16, 2014 at 5:31 AM, Luke Biddell <[email protected]> wrote: > If you're doing the hashing yourself and storing them somewhere, consider > using something other than SHA*. > > Take a look at these articles. > > http://codahale.com/how-to-safely-store-a-password/ > http://www.unlimitednovelty.com/2012/03/dont-use-bcrypt.html > > My understanding is that SHA* are designed for speed which ultimately aids > brute force attacks. > > Something like Bcrypt or even better PBKDF2 mitigates this. > > I'm not an expert though, Les will probably have a better view. > > > > On 14 January 2014 02:32, Les Hazlewood <[email protected]> wrote: >> >> Hi Richard, yes, if you can't configure the LDAP server to be aware of >> iterations/complexity, then I think doing the matching at the Realm level >> (with a PasswordMatcher) would be good. >> >> HTH! >> >> -- >> Les Hazlewood | @lhazlewood >> CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282 >> >> >> On Mon, Jan 13, 2014 at 5:11 PM, Richard Mixon <[email protected]> wrote: >>> >>> Les, I've actually got the Shiro real working - with either SSHA or >>> SSHA256. But not looks like either of the ldap server's built-in bind >>> functions do not allow you to specify how many hash iterations to compute, >>> only the algorithm to use. So I guess that means I just do an LDAP search >>> instead of a bind and do the matching in my realm logic. >>> >>> Or am I missing something? >>> >>> Thanks! >>> >>> Sent from my iPhone >>> >>> On Jan 13, 2014, at 16:20, Les Hazlewood <[email protected]> wrote: >>> >>> Hi Richard, >>> >>> If I understand correctly, your challenge is that you want to configure >>> the LDAP server of choice to compute SSHA256? And then to have Shiro read >>> in that record, look at the hashed value and then do the comparison? >>> >>> Best, >>> >>> Les >>> >>> On Mon, Jan 13, 2014 at 8:54 AM, rnmixon <[email protected]> wrote: >>>> >>>> A bit more info ... >>>> >>>> We are putting together a small outward facing portal - implementing an >>>> LDAP >>>> directory is part of that effort (we use Microsoft AD for internal >>>> users). >>>> >>>> At this point we've written the PHP plugin for our Wordpress site to >>>> authenticate external partners via the LDAP directory and internal >>>> users/employees using our Microsoft Active Directory. I'm doing the same >>>> for >>>> the two Java applications that need to be integrated. >>>> >>>> Currently, I'm trying to meet a new requirement I received last week to >>>> use >>>> SSHA256 instead of SSHA and to use a high number of hashing iterations >>>> as >>>> Les' article suggested. >>>> >>>> In theory Openldap can do this using the sha2 plugin, but it's been slow >>>> getting it to work - after quite a few years it has not been included in >>>> the >>>> base product's plugin set - and there appear to be some philosophical >>>> wars >>>> as to whether more advanced hashes can or should be included in the core >>>> product plugins. >>>> >>>> So at this point I've allocated a day (today) to look at the Fedora 389 >>>> Directory Server and see if it offers a smoother path. So far that seems >>>> to >>>> be the case, but I'm not all the way there yet. >>>> >>>> Any thoughts or suggestions on a better path? This is a first step for >>>> us - >>>> I'm sure we'll evaluate and reconsider after it's implemented. >>>> >>>> Thank you - Richard >>>> >>>> >>>> >>>> -- >>>> View this message in context: >>>> http://shiro-user.582556.n2.nabble.com/Implementing-strong-password-hashing-with-Shiro-and-Openldap-tp7579496p7579498.html >>>> Sent from the Shiro User mailing list archive at Nabble.com. >>> >>> >> >
