Hello Roberto! This is possible only in theory and/or with a lot of money. You can use hacking tools which run on your GPU, but even then it might take years to find it. And that is exactly the point: Password-based key derivation functions are designed to create an in-revertable hash.
Shiro 2.0 will use even better KDFs like Argon2 or bcrypt/script, which require a vast amount of memory and cpu to make attacks not feasible. If you have access to the database where you stored the password, I would just set a new password and forget about the old one, if possible. Best regards, Ben Am Sa., 6. Nov. 2021 um 10:39 Uhr schrieb Roberto Bottoni <r.bott...@afterbit.com>: > > Hi Ben, > > yes!.. the case is : ...or did you lose a password and need to recover > it? > How can i do that ? > > Roberto > > > > > Il 05-11-2021 21:41 Benjamin Marwell ha scritto: > > Hi Robert, > > > > Why do you think you need the plain text password? > > Shiro matches the password supplied by subsequent authentication > > attempts by going through the Sha256Hash algorithm again and comparing > > the hashed outputs. > > > > This way, you can safely[1] store the hash and salt without giving > > away a user's password. > > > > … or did you lose a password and need to recover it? > > > > You can also just set a new one, if you did not encrypt anything using > > your old password. > > > > - Ben > > > > [1] Sha256 + salt + iterations is a little bit outdated. > > For Shiro 2, we decided to implement more advanced algorithms. > > > > Am Fr., 5. Nov. 2021 um 15:39 Uhr schrieb Roberto Bottoni > > <r.bott...@afterbit.com>: > >> > >> Hello, > >> I have little experience with encryption / decryption.. > >> > >> for my web app I want to use Apache Shiro to login user, with salted > >> password .. > >> > >> this is the article I read : > >> http://shiro.apache.org/realm.html#Realm-HashingCredentials and the > >> code > >> to generate the salted password : > >> > >> import org.apache.shiro.crypto.hash.Sha256Hash; > >> import org.apache.shiro.crypto.RandomNumberGenerator; > >> import org.apache.shiro.crypto.SecureRandomNumberGenerator; > >> ... > >> > >> //We'll use a Random Number Generator to generate salts. This > >> //is much more secure than using a username as a salt or not > >> //having a salt at all. Shiro makes this easy. > >> // > >> //Note that a normal app would reference an attribute rather > >> //than create a new RNG every time: > >> RandomNumberGenerator rng = new SecureRandomNumberGenerator(); > >> Object salt = rng.nextBytes(); > >> > >> //Now hash the plain-text password with the random salt and multiple > >> //iterations and then Base64-encode the value (requires less space > >> than > >> Hex): > >> String hashedPasswordBase64 = new Sha256Hash(plainTextPassword, salt, > >> 1024).toBase64(); > >> > >> User user = new User(username, hashedPasswordBase64); > >> //save the salt with the new account. The HashedCredentialsMatcher > >> //will need it later when handling login attempts: > >> user.setPasswordSalt(salt); > >> userDAO.create(user); > >> > >> This give me a encrypted password.. > >> but how can I recover the plain text password? > >> It's possible? > > > > -- > > Questo messaggio e' stato analizzato da Libraesva ESG ed e' risultato > > non infetto. > > This message was scanned by Libraesva ESG and is believed to be clean.
