It's not paranoia more so than what I have been reading, where people say that SHA shold never be used for passwords....... As I said I'm new to cryptography, so I'm just trying to get my facts straight is all.
I will most likely go with the defaults for now, but a port for Shiro would be nice. Date: Wed, 17 Sep 2014 22:56:38 +0100 Subject: RE: Has anyone tried the Shiro 2.0 branch? From: [email protected] To: [email protected] How good is sha 256? How paranoid are you? If not much, it is great, if a lot, move to bcrypt. But sha 256 is good enough for most. If financial data is involved, or other sensitive data, look to bcrypt As for using spring security bcrypt, it was meant as an example of simple abstraction. You could use bcrypt directly. Or port it to a Shiro abstraction. d On 17 Sep 2014 22:33, "Konrad Zuse" <[email protected]> wrote: I was curious if we will be getting better hashing algorithms? I'm new to Cryptography and such, but I was reading somethng last nigth saying that SHA isn't really secure for passing and we should be using either bcrypt, scrypt, or PK2BK? Someone made a post about spring security and bcrpyt, but I rather not mix it with Shiro if possible... Would be nice to have these features. From the documentation it's shown to use SHA-256 for passwords and a password matcher, but how secure is it? I would love to help out with improving the library, but I don't know if I will be of any help as a semi-noobie :(. Thanks for everything Lez! > Date: Wed, 17 Sep 2014 13:14:11 -0700 > Subject: Re: Has anyone tried the Shiro 2.0 branch? > From: [email protected] > To: [email protected] > > Hi Paul, > > I'm not sure if they'll still work or not, as I haven't tested. I'd > *like* to ensure that they still work, or better yet, include the JEE > interceptor support directly in Shiro. If anyone would like to help > with this effort, I'm sure the dev team would appreciate it! > > Les > > > On Sun, Sep 14, 2014 at 2:42 AM, Paul Holding <[email protected]> wrote: > > Hi Les > > > > Looking through the release notes I didn't see any mention of CDI, JSF, or > > Jave EE Interceptors so I was wondering whether some of the existing > > enhancements that have been created by the community are likely to still > > work with Shiro 2.0. > > > > For CDI and JSF I'm using Pax Shiro ( > > https://github.com/ops4j/org.ops4j.pax.shiro > > <https://github.com/ops4j/org.ops4j.pax.shiro> ). > > > > For Java EE Interceptors I'm using some code from BalusC's blog ( > > http://balusc.blogspot.co.uk/2013/01/apache-shiro-is-it-ready-for-java-ee-6.html#DeclarativeRestrictionInBeanMethods > > <http://balusc.blogspot.co.uk/2013/01/apache-shiro-is-it-ready-for-java-ee-6.html#DeclarativeRestrictionInBeanMethods> > > ) > > > > Do you think these are likely to still work in Shiro 2.0? > > > > Kind Regards > > > > Paul > > > > > > > > -- > > View this message in context: > > http://shiro-user.582556.n2.nabble.com/Has-anyone-tried-the-Shiro-2-0-branch-tp7580195p7580212.html > > Sent from the Shiro User mailing list archive at Nabble.com.
