Do you use Shiro's DefaultPasswordService <https://shiro.apache.org/static/current/apidocs/org/apache/shiro/authc/credential/DefaultPasswordService.html> to generate the encrypted passwords you store in the DB and also to check if the user has entered a valid password?
Because if so, you do not need to worry about the algorithms. Afaik the DefaultPasswordService adds information to the encrypted passwords it generates to later know how to match it with plain text passwords: $shiro1$SHA-256$500000$iJRddPc2jpRrerxLRXskmQ==$U88i9zJCUZOKJ++1J3tqW5qTa2xUnCho5AaTHyevmsE= In the default settings it seems to use SHA-256 with 500000 iterations + some salt that is generated for each password to encrypt a password. I think the "iJRddPc2jpRrerxLRXskmQ==" part is the salt here? When you now give the DefaultPasswordService such an encrypted password string, it knows how to match it with a plain text password. Because of that, it is even possible to switch the used algorithm etc. in your application over the time without having to reset all passwords. Does that help you? That is just my understanding of how things work, please correct me if I'm wrong with something! ; ) On Fri, Sep 12, 2014 at 7:42 AM, KonradZuse <[email protected]> wrote: > Hello all, > > I am now creating a desktop client for a portion of my application, where > the other part is a web application. > > I am using the same DB to login, as well as store information. > > I am confused if I am supposed to use the same ini file or use multiple. > I > am curious about the hasher/passwordmatching algorithm and if we need the > same one? > > I figured every time it's generated it's random, but I guess the same specs > should give the same results, or else it would never work regardless? > > If anyone has any insight I would appreciate it greatly! > > Thank you!! > > > > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/Do-multiple-clients-of-the-same-Shiro-Application-use-the-same-shiro-ini-file-tp7580208.html > Sent from the Shiro User mailing list archive at Nabble.com. >
