BCrypt is definitely going to be supported and maybe SCrypt if we can find a Java-based solution for it (however, I suspect it might need JNI or JNA to do it 'right'). That being said PBKDF2 is a good alternative and should absolutely be included in Shiro. BCrypt and PBKDF2 are both easy enough to support such that I don't see why they shouldn't be included, as well as all HMAC algorithms.
Cheers, -- Les Hazlewood | @lhazlewood CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282 On Wed, Sep 17, 2014 at 11:08 PM, Dominic Farr <[email protected]> wrote: > sure....I wasn't being specific to you on paranoia, it was meant as a > light hearted view on the world of hacking. > > Think of it this way. MD5 and SHA 1 are done for security, they still have > uses, but not for password. SHA 2 is limited for password protection, but > with a good long random salt, it's still pretty good. If you want to > protect a new online cat database you could be happy with SHA 2 + salt. > If you are protecting more sensitive or more prized data then move on to > bcrypt. > > good luck > -d > > > > On 18 September 2014 00:04, Konrad Zuse <[email protected]> wrote: > >> It's not paranoia more so than what I have been reading, where people say >> that SHA shold never be used for passwords....... As I said I'm new to >> cryptography, so I'm just trying to get my facts straight is all. >> >> I will most likely go with the defaults for now, but a port for Shiro >> would be nice. >> >> ------------------------------ >> Date: Wed, 17 Sep 2014 22:56:38 +0100 >> Subject: RE: Has anyone tried the Shiro 2.0 branch? >> From: [email protected] >> To: [email protected] >> >> >> How good is sha 256? How paranoid are you? If not much, it is great, if a >> lot, move to bcrypt. But sha 256 is good enough for most. If financial data >> is involved, or other sensitive data, look to bcrypt >> As for using spring security bcrypt, it was meant as an example of simple >> abstraction. You could use bcrypt directly. Or port it to a Shiro >> abstraction. >> d >> On 17 Sep 2014 22:33, "Konrad Zuse" <[email protected]> wrote: >> >> I was curious if we will be getting better hashing algorithms? I'm new >> to Cryptography and such, but I was reading somethng last nigth saying that >> SHA isn't really secure for passing and we should be using either bcrypt, >> scrypt, or PK2BK? >> >> Someone made a post about spring security and bcrpyt, but I rather not >> mix it with Shiro if possible... Would be nice to have these features. >> From the documentation it's shown to use SHA-256 for passwords and a >> password matcher, but how secure is it? >> >> I would love to help out with improving the library, but I don't know if >> I will be of any help as a semi-noobie :(. >> >> Thanks for everything Lez! >> >> > Date: Wed, 17 Sep 2014 13:14:11 -0700 >> > Subject: Re: Has anyone tried the Shiro 2.0 branch? >> > From: [email protected] >> > To: [email protected] >> > >> > Hi Paul, >> > >> > I'm not sure if they'll still work or not, as I haven't tested. I'd >> > *like* to ensure that they still work, or better yet, include the JEE >> > interceptor support directly in Shiro. If anyone would like to help >> > with this effort, I'm sure the dev team would appreciate it! >> > >> > Les >> > >> > >> > On Sun, Sep 14, 2014 at 2:42 AM, Paul Holding <[email protected]> >> wrote: >> > > Hi Les >> > > >> > > Looking through the release notes I didn't see any mention of CDI, >> JSF, or >> > > Jave EE Interceptors so I was wondering whether some of the existing >> > > enhancements that have been created by the community are likely to >> still >> > > work with Shiro 2.0. >> > > >> > > For CDI and JSF I'm using Pax Shiro ( >> > > https://github.com/ops4j/org.ops4j.pax.shiro >> > > <https://github.com/ops4j/org.ops4j.pax.shiro> ). >> > > >> > > For Java EE Interceptors I'm using some code from BalusC's blog ( >> > > >> http://balusc.blogspot.co.uk/2013/01/apache-shiro-is-it-ready-for-java-ee-6.html#DeclarativeRestrictionInBeanMethods >> > > < >> http://balusc.blogspot.co.uk/2013/01/apache-shiro-is-it-ready-for-java-ee-6.html#DeclarativeRestrictionInBeanMethods >> > >> > > ) >> > > >> > > Do you think these are likely to still work in Shiro 2.0? >> > > >> > > Kind Regards >> > > >> > > Paul >> > > >> > > >> > > >> > > -- >> > > View this message in context: >> http://shiro-user.582556.n2.nabble.com/Has-anyone-tried-the-Shiro-2-0-branch-tp7580195p7580212.html >> > > Sent from the Shiro User mailing list archive at Nabble.com. >> >> >
