Just for posterity: Modern password hashing schemes are always one-way operations; it is infeasible (and practically impossible) for anyone but a nation state w/ immense computing resources to take hash output and attempt to recover the original plaintext password.
It is this unidirectional (one way) nature of hashing that helps make password hashes safe. If the raw passwords (plaintext) could be easily recovered in their original form, that means it could be easy for attackers to do so as well. This is why Apache Shiro only implements one-way password hashing schemes. Best, Les On Sun, Nov 7, 2021 at 1:26 AM Roberto Bottoni <r.bott...@afterbit.com> wrote: > Hi Ben, > > the fact that : "..This is possible only in theory and/or with a lot of > money..." it's the more important thing ! > > well, i set a new password.. > > thank you! > Bye! > > R. > > > > Il 06-11-2021 21:06 Benjamin Marwell ha scritto: > > Hello Roberto! > > > > This is possible only in theory and/or with a lot of money. > > You can use hacking tools which run on your GPU, but even then it > > might take years to find it. > > And that is exactly the point: Password-based key derivation functions > > are designed to create an in-revertable hash. > > > > Shiro 2.0 will use even better KDFs like Argon2 or bcrypt/script, > > which require a vast amount of memory and cpu to make attacks not > > feasible. > > > > If you have access to the database where you stored the password, I > > would just set a new password and forget about the old one, if > > possible. > > > > Best regards, > > Ben > > > > Am Sa., 6. Nov. 2021 um 10:39 Uhr schrieb Roberto Bottoni > > <r.bott...@afterbit.com>: > >> > >> Hi Ben, > >> > >> yes!.. the case is : ...or did you lose a password and need to > >> recover > >> it? > >> How can i do that ? > >> > >> Roberto > >> > >> > >> > >> > >> Il 05-11-2021 21:41 Benjamin Marwell ha scritto: > >> > Hi Robert, > >> > > >> > Why do you think you need the plain text password? > >> > Shiro matches the password supplied by subsequent authentication > >> > attempts by going through the Sha256Hash algorithm again and comparing > >> > the hashed outputs. > >> > > >> > This way, you can safely[1] store the hash and salt without giving > >> > away a user's password. > >> > > >> > … or did you lose a password and need to recover it? > >> > > >> > You can also just set a new one, if you did not encrypt anything using > >> > your old password. > >> > > >> > - Ben > >> > > >> > [1] Sha256 + salt + iterations is a little bit outdated. > >> > For Shiro 2, we decided to implement more advanced algorithms. > >> > > >> > Am Fr., 5. Nov. 2021 um 15:39 Uhr schrieb Roberto Bottoni > >> > <r.bott...@afterbit.com>: > >> >> > >> >> Hello, > >> >> I have little experience with encryption / decryption.. > >> >> > >> >> for my web app I want to use Apache Shiro to login user, with salted > >> >> password .. > >> >> > >> >> this is the article I read : > >> >> http://shiro.apache.org/realm.html#Realm-HashingCredentials and the > >> >> code > >> >> to generate the salted password : > >> >> > >> >> import org.apache.shiro.crypto.hash.Sha256Hash; > >> >> import org.apache.shiro.crypto.RandomNumberGenerator; > >> >> import org.apache.shiro.crypto.SecureRandomNumberGenerator; > >> >> ... > >> >> > >> >> //We'll use a Random Number Generator to generate salts. This > >> >> //is much more secure than using a username as a salt or not > >> >> //having a salt at all. Shiro makes this easy. > >> >> // > >> >> //Note that a normal app would reference an attribute rather > >> >> //than create a new RNG every time: > >> >> RandomNumberGenerator rng = new SecureRandomNumberGenerator(); > >> >> Object salt = rng.nextBytes(); > >> >> > >> >> //Now hash the plain-text password with the random salt and multiple > >> >> //iterations and then Base64-encode the value (requires less space > >> >> than > >> >> Hex): > >> >> String hashedPasswordBase64 = new Sha256Hash(plainTextPassword, salt, > >> >> 1024).toBase64(); > >> >> > >> >> User user = new User(username, hashedPasswordBase64); > >> >> //save the salt with the new account. The HashedCredentialsMatcher > >> >> //will need it later when handling login attempts: > >> >> user.setPasswordSalt(salt); > >> >> userDAO.create(user); > >> >> > >> >> This give me a encrypted password.. > >> >> but how can I recover the plain text password? > >> >> It's possible? > >> > > >> > -- > >> > Questo messaggio e' stato analizzato da Libraesva ESG ed e' risultato > >> > non infetto. > >> > This message was scanned by Libraesva ESG and is believed to be clean. > > > > -- > > Questo messaggio e' stato analizzato da Libraesva ESG ed e' risultato > > non infetto. > > This message was scanned by Libraesva ESG and is believed to be clean. >
