>From what I've been reading HMACs are preferred, so this does seem exciting. >It might take some issues finding the exact ways to do it, but there are >definitely ways to do everything we need!
I would love to help out of I can, but I'm not sure how much of a help I could be with this field of study. Date: Fri, 26 Sep 2014 10:44:54 -0700 Subject: Re: Has anyone tried the Shiro 2.0 branch? From: [email protected] To: [email protected] BCrypt is definitely going to be supported and maybe SCrypt if we can find a Java-based solution for it (however, I suspect it might need JNI or JNA to do it 'right'). That being said PBKDF2 is a good alternative and should absolutely be included in Shiro. BCrypt and PBKDF2 are both easy enough to support such that I don't see why they shouldn't be included, as well as all HMAC algorithms. Cheers,-- Les Hazlewood | @lhazlewood CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282 On Wed, Sep 17, 2014 at 11:08 PM, Dominic Farr <[email protected]> wrote: sure....I wasn't being specific to you on paranoia, it was meant as a light hearted view on the world of hacking. Think of it this way. MD5 and SHA 1 are done for security, they still have uses, but not for password. SHA 2 is limited for password protection, but with a good long random salt, it's still pretty good. If you want to protect a new online cat database you could be happy with SHA 2 + salt.If you are protecting more sensitive or more prized data then move on to bcrypt. good luck-d On 18 September 2014 00:04, Konrad Zuse <[email protected]> wrote: It's not paranoia more so than what I have been reading, where people say that SHA shold never be used for passwords....... As I said I'm new to cryptography, so I'm just trying to get my facts straight is all. I will most likely go with the defaults for now, but a port for Shiro would be nice. Date: Wed, 17 Sep 2014 22:56:38 +0100 Subject: RE: Has anyone tried the Shiro 2.0 branch? From: [email protected] To: [email protected] How good is sha 256? How paranoid are you? If not much, it is great, if a lot, move to bcrypt. But sha 256 is good enough for most. If financial data is involved, or other sensitive data, look to bcrypt As for using spring security bcrypt, it was meant as an example of simple abstraction. You could use bcrypt directly. Or port it to a Shiro abstraction. d On 17 Sep 2014 22:33, "Konrad Zuse" <[email protected]> wrote: I was curious if we will be getting better hashing algorithms? I'm new to Cryptography and such, but I was reading somethng last nigth saying that SHA isn't really secure for passing and we should be using either bcrypt, scrypt, or PK2BK? Someone made a post about spring security and bcrpyt, but I rather not mix it with Shiro if possible... Would be nice to have these features. From the documentation it's shown to use SHA-256 for passwords and a password matcher, but how secure is it? I would love to help out with improving the library, but I don't know if I will be of any help as a semi-noobie :(. Thanks for everything Lez! > Date: Wed, 17 Sep 2014 13:14:11 -0700 > Subject: Re: Has anyone tried the Shiro 2.0 branch? > From: [email protected] > To: [email protected] > > Hi Paul, > > I'm not sure if they'll still work or not, as I haven't tested. I'd > *like* to ensure that they still work, or better yet, include the JEE > interceptor support directly in Shiro. If anyone would like to help > with this effort, I'm sure the dev team would appreciate it! > > Les > > > On Sun, Sep 14, 2014 at 2:42 AM, Paul Holding <[email protected]> wrote: > > Hi Les > > > > Looking through the release notes I didn't see any mention of CDI, JSF, or > > Jave EE Interceptors so I was wondering whether some of the existing > > enhancements that have been created by the community are likely to still > > work with Shiro 2.0. > > > > For CDI and JSF I'm using Pax Shiro ( > > https://github.com/ops4j/org.ops4j.pax.shiro > > <https://github.com/ops4j/org.ops4j.pax.shiro> ). > > > > For Java EE Interceptors I'm using some code from BalusC's blog ( > > http://balusc.blogspot.co.uk/2013/01/apache-shiro-is-it-ready-for-java-ee-6.html#DeclarativeRestrictionInBeanMethods > > <http://balusc.blogspot.co.uk/2013/01/apache-shiro-is-it-ready-for-java-ee-6.html#DeclarativeRestrictionInBeanMethods> > > ) > > > > Do you think these are likely to still work in Shiro 2.0? > > > > Kind Regards > > > > Paul > > > > > > > > -- > > View this message in context: > > http://shiro-user.582556.n2.nabble.com/Has-anyone-tried-the-Shiro-2-0-branch-tp7580195p7580212.html > > Sent from the Shiro User mailing list archive at Nabble.com.
