You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Roberto Bottoni <r....@afterbit.com> on 2021/11/05 14:38:38 UTC
Apache Shiro recover password
Hello,
I have little experience with encryption / decryption..
for my web app I want to use Apache Shiro to login user, with salted
password ..
this is the article I read :
http://shiro.apache.org/realm.html#Realm-HashingCredentials and the code
to generate the salted password :
import org.apache.shiro.crypto.hash.Sha256Hash;
import org.apache.shiro.crypto.RandomNumberGenerator;
import org.apache.shiro.crypto.SecureRandomNumberGenerator;
...
//We'll use a Random Number Generator to generate salts. This
//is much more secure than using a username as a salt or not
//having a salt at all. Shiro makes this easy.
//
//Note that a normal app would reference an attribute rather
//than create a new RNG every time:
RandomNumberGenerator rng = new SecureRandomNumberGenerator();
Object salt = rng.nextBytes();
//Now hash the plain-text password with the random salt and multiple
//iterations and then Base64-encode the value (requires less space than
Hex):
String hashedPasswordBase64 = new Sha256Hash(plainTextPassword, salt,
1024).toBase64();
User user = new User(username, hashedPasswordBase64);
//save the salt with the new account. The HashedCredentialsMatcher
//will need it later when handling login attempts:
user.setPasswordSalt(salt);
userDAO.create(user);
This give me a encrypted password..
but how can I recover the plain text password?
It's possible?
Re: Apache Shiro recover password
Posted by Les Hazlewood <lh...@apache.org>.
Just for posterity:
Modern password hashing schemes are always one-way operations; it is
infeasible (and practically impossible) for anyone but a nation state w/
immense computing resources to take hash output and attempt to recover the
original plaintext password.
It is this unidirectional (one way) nature of hashing that helps make
password hashes safe. If the raw passwords (plaintext) could be easily
recovered in their original form, that means it could be easy for attackers
to do so as well. This is why Apache Shiro only implements one-way
password hashing schemes.
Best,
Les
On Sun, Nov 7, 2021 at 1:26 AM Roberto Bottoni <r....@afterbit.com>
wrote:
> Hi Ben,
>
> the fact that : "..This is possible only in theory and/or with a lot of
> money..." it's the more important thing !
>
> well, i set a new password..
>
> thank you!
> Bye!
>
> R.
>
>
>
> Il 06-11-2021 21:06 Benjamin Marwell ha scritto:
> > Hello Roberto!
> >
> > This is possible only in theory and/or with a lot of money.
> > You can use hacking tools which run on your GPU, but even then it
> > might take years to find it.
> > And that is exactly the point: Password-based key derivation functions
> > are designed to create an in-revertable hash.
> >
> > Shiro 2.0 will use even better KDFs like Argon2 or bcrypt/script,
> > which require a vast amount of memory and cpu to make attacks not
> > feasible.
> >
> > If you have access to the database where you stored the password, I
> > would just set a new password and forget about the old one, if
> > possible.
> >
> > Best regards,
> > Ben
> >
> > Am Sa., 6. Nov. 2021 um 10:39 Uhr schrieb Roberto Bottoni
> > <r....@afterbit.com>:
> >>
> >> Hi Ben,
> >>
> >> yes!.. the case is : ...or did you lose a password and need to
> >> recover
> >> it?
> >> How can i do that ?
> >>
> >> Roberto
> >>
> >>
> >>
> >>
> >> Il 05-11-2021 21:41 Benjamin Marwell ha scritto:
> >> > Hi Robert,
> >> >
> >> > Why do you think you need the plain text password?
> >> > Shiro matches the password supplied by subsequent authentication
> >> > attempts by going through the Sha256Hash algorithm again and comparing
> >> > the hashed outputs.
> >> >
> >> > This way, you can safely[1] store the hash and salt without giving
> >> > away a user's password.
> >> >
> >> > … or did you lose a password and need to recover it?
> >> >
> >> > You can also just set a new one, if you did not encrypt anything using
> >> > your old password.
> >> >
> >> > - Ben
> >> >
> >> > [1] Sha256 + salt + iterations is a little bit outdated.
> >> > For Shiro 2, we decided to implement more advanced algorithms.
> >> >
> >> > Am Fr., 5. Nov. 2021 um 15:39 Uhr schrieb Roberto Bottoni
> >> > <r....@afterbit.com>:
> >> >>
> >> >> Hello,
> >> >> I have little experience with encryption / decryption..
> >> >>
> >> >> for my web app I want to use Apache Shiro to login user, with salted
> >> >> password ..
> >> >>
> >> >> this is the article I read :
> >> >> http://shiro.apache.org/realm.html#Realm-HashingCredentials and the
> >> >> code
> >> >> to generate the salted password :
> >> >>
> >> >> import org.apache.shiro.crypto.hash.Sha256Hash;
> >> >> import org.apache.shiro.crypto.RandomNumberGenerator;
> >> >> import org.apache.shiro.crypto.SecureRandomNumberGenerator;
> >> >> ...
> >> >>
> >> >> //We'll use a Random Number Generator to generate salts. This
> >> >> //is much more secure than using a username as a salt or not
> >> >> //having a salt at all. Shiro makes this easy.
> >> >> //
> >> >> //Note that a normal app would reference an attribute rather
> >> >> //than create a new RNG every time:
> >> >> RandomNumberGenerator rng = new SecureRandomNumberGenerator();
> >> >> Object salt = rng.nextBytes();
> >> >>
> >> >> //Now hash the plain-text password with the random salt and multiple
> >> >> //iterations and then Base64-encode the value (requires less space
> >> >> than
> >> >> Hex):
> >> >> String hashedPasswordBase64 = new Sha256Hash(plainTextPassword, salt,
> >> >> 1024).toBase64();
> >> >>
> >> >> User user = new User(username, hashedPasswordBase64);
> >> >> //save the salt with the new account. The HashedCredentialsMatcher
> >> >> //will need it later when handling login attempts:
> >> >> user.setPasswordSalt(salt);
> >> >> userDAO.create(user);
> >> >>
> >> >> This give me a encrypted password..
> >> >> but how can I recover the plain text password?
> >> >> It's possible?
> >> >
> >> > --
> >> > Questo messaggio e' stato analizzato da Libraesva ESG ed e' risultato
> >> > non infetto.
> >> > This message was scanned by Libraesva ESG and is believed to be clean.
> >
> > --
> > Questo messaggio e' stato analizzato da Libraesva ESG ed e' risultato
> > non infetto.
> > This message was scanned by Libraesva ESG and is believed to be clean.
>
Re: Apache Shiro recover password
Posted by Roberto Bottoni <r....@afterbit.com>.
Hi Ben,
the fact that : "..This is possible only in theory and/or with a lot of
money..." it's the more important thing !
well, i set a new password..
thank you!
Bye!
R.
Il 06-11-2021 21:06 Benjamin Marwell ha scritto:
> Hello Roberto!
>
> This is possible only in theory and/or with a lot of money.
> You can use hacking tools which run on your GPU, but even then it
> might take years to find it.
> And that is exactly the point: Password-based key derivation functions
> are designed to create an in-revertable hash.
>
> Shiro 2.0 will use even better KDFs like Argon2 or bcrypt/script,
> which require a vast amount of memory and cpu to make attacks not
> feasible.
>
> If you have access to the database where you stored the password, I
> would just set a new password and forget about the old one, if
> possible.
>
> Best regards,
> Ben
>
> Am Sa., 6. Nov. 2021 um 10:39 Uhr schrieb Roberto Bottoni
> <r....@afterbit.com>:
>>
>> Hi Ben,
>>
>> yes!.. the case is : ...or did you lose a password and need to
>> recover
>> it?
>> How can i do that ?
>>
>> Roberto
>>
>>
>>
>>
>> Il 05-11-2021 21:41 Benjamin Marwell ha scritto:
>> > Hi Robert,
>> >
>> > Why do you think you need the plain text password?
>> > Shiro matches the password supplied by subsequent authentication
>> > attempts by going through the Sha256Hash algorithm again and comparing
>> > the hashed outputs.
>> >
>> > This way, you can safely[1] store the hash and salt without giving
>> > away a user's password.
>> >
>> > … or did you lose a password and need to recover it?
>> >
>> > You can also just set a new one, if you did not encrypt anything using
>> > your old password.
>> >
>> > - Ben
>> >
>> > [1] Sha256 + salt + iterations is a little bit outdated.
>> > For Shiro 2, we decided to implement more advanced algorithms.
>> >
>> > Am Fr., 5. Nov. 2021 um 15:39 Uhr schrieb Roberto Bottoni
>> > <r....@afterbit.com>:
>> >>
>> >> Hello,
>> >> I have little experience with encryption / decryption..
>> >>
>> >> for my web app I want to use Apache Shiro to login user, with salted
>> >> password ..
>> >>
>> >> this is the article I read :
>> >> http://shiro.apache.org/realm.html#Realm-HashingCredentials and the
>> >> code
>> >> to generate the salted password :
>> >>
>> >> import org.apache.shiro.crypto.hash.Sha256Hash;
>> >> import org.apache.shiro.crypto.RandomNumberGenerator;
>> >> import org.apache.shiro.crypto.SecureRandomNumberGenerator;
>> >> ...
>> >>
>> >> //We'll use a Random Number Generator to generate salts. This
>> >> //is much more secure than using a username as a salt or not
>> >> //having a salt at all. Shiro makes this easy.
>> >> //
>> >> //Note that a normal app would reference an attribute rather
>> >> //than create a new RNG every time:
>> >> RandomNumberGenerator rng = new SecureRandomNumberGenerator();
>> >> Object salt = rng.nextBytes();
>> >>
>> >> //Now hash the plain-text password with the random salt and multiple
>> >> //iterations and then Base64-encode the value (requires less space
>> >> than
>> >> Hex):
>> >> String hashedPasswordBase64 = new Sha256Hash(plainTextPassword, salt,
>> >> 1024).toBase64();
>> >>
>> >> User user = new User(username, hashedPasswordBase64);
>> >> //save the salt with the new account. The HashedCredentialsMatcher
>> >> //will need it later when handling login attempts:
>> >> user.setPasswordSalt(salt);
>> >> userDAO.create(user);
>> >>
>> >> This give me a encrypted password..
>> >> but how can I recover the plain text password?
>> >> It's possible?
>> >
>> > --
>> > Questo messaggio e' stato analizzato da Libraesva ESG ed e' risultato
>> > non infetto.
>> > This message was scanned by Libraesva ESG and is believed to be clean.
>
> --
> Questo messaggio e' stato analizzato da Libraesva ESG ed e' risultato
> non infetto.
> This message was scanned by Libraesva ESG and is believed to be clean.
Re: Apache Shiro recover password
Posted by Benjamin Marwell <bm...@apache.org>.
Hello Roberto!
This is possible only in theory and/or with a lot of money.
You can use hacking tools which run on your GPU, but even then it
might take years to find it.
And that is exactly the point: Password-based key derivation functions
are designed to create an in-revertable hash.
Shiro 2.0 will use even better KDFs like Argon2 or bcrypt/script,
which require a vast amount of memory and cpu to make attacks not
feasible.
If you have access to the database where you stored the password, I
would just set a new password and forget about the old one, if
possible.
Best regards,
Ben
Am Sa., 6. Nov. 2021 um 10:39 Uhr schrieb Roberto Bottoni
<r....@afterbit.com>:
>
> Hi Ben,
>
> yes!.. the case is : ...or did you lose a password and need to recover
> it?
> How can i do that ?
>
> Roberto
>
>
>
>
> Il 05-11-2021 21:41 Benjamin Marwell ha scritto:
> > Hi Robert,
> >
> > Why do you think you need the plain text password?
> > Shiro matches the password supplied by subsequent authentication
> > attempts by going through the Sha256Hash algorithm again and comparing
> > the hashed outputs.
> >
> > This way, you can safely[1] store the hash and salt without giving
> > away a user's password.
> >
> > … or did you lose a password and need to recover it?
> >
> > You can also just set a new one, if you did not encrypt anything using
> > your old password.
> >
> > - Ben
> >
> > [1] Sha256 + salt + iterations is a little bit outdated.
> > For Shiro 2, we decided to implement more advanced algorithms.
> >
> > Am Fr., 5. Nov. 2021 um 15:39 Uhr schrieb Roberto Bottoni
> > <r....@afterbit.com>:
> >>
> >> Hello,
> >> I have little experience with encryption / decryption..
> >>
> >> for my web app I want to use Apache Shiro to login user, with salted
> >> password ..
> >>
> >> this is the article I read :
> >> http://shiro.apache.org/realm.html#Realm-HashingCredentials and the
> >> code
> >> to generate the salted password :
> >>
> >> import org.apache.shiro.crypto.hash.Sha256Hash;
> >> import org.apache.shiro.crypto.RandomNumberGenerator;
> >> import org.apache.shiro.crypto.SecureRandomNumberGenerator;
> >> ...
> >>
> >> //We'll use a Random Number Generator to generate salts. This
> >> //is much more secure than using a username as a salt or not
> >> //having a salt at all. Shiro makes this easy.
> >> //
> >> //Note that a normal app would reference an attribute rather
> >> //than create a new RNG every time:
> >> RandomNumberGenerator rng = new SecureRandomNumberGenerator();
> >> Object salt = rng.nextBytes();
> >>
> >> //Now hash the plain-text password with the random salt and multiple
> >> //iterations and then Base64-encode the value (requires less space
> >> than
> >> Hex):
> >> String hashedPasswordBase64 = new Sha256Hash(plainTextPassword, salt,
> >> 1024).toBase64();
> >>
> >> User user = new User(username, hashedPasswordBase64);
> >> //save the salt with the new account. The HashedCredentialsMatcher
> >> //will need it later when handling login attempts:
> >> user.setPasswordSalt(salt);
> >> userDAO.create(user);
> >>
> >> This give me a encrypted password..
> >> but how can I recover the plain text password?
> >> It's possible?
> >
> > --
> > Questo messaggio e' stato analizzato da Libraesva ESG ed e' risultato
> > non infetto.
> > This message was scanned by Libraesva ESG and is believed to be clean.
Re: Apache Shiro recover password
Posted by Roberto Bottoni <r....@afterbit.com>.
Hi Ben,
yes!.. the case is : ...or did you lose a password and need to recover
it?
How can i do that ?
Roberto
Il 05-11-2021 21:41 Benjamin Marwell ha scritto:
> Hi Robert,
>
> Why do you think you need the plain text password?
> Shiro matches the password supplied by subsequent authentication
> attempts by going through the Sha256Hash algorithm again and comparing
> the hashed outputs.
>
> This way, you can safely[1] store the hash and salt without giving
> away a user's password.
>
> … or did you lose a password and need to recover it?
>
> You can also just set a new one, if you did not encrypt anything using
> your old password.
>
> - Ben
>
> [1] Sha256 + salt + iterations is a little bit outdated.
> For Shiro 2, we decided to implement more advanced algorithms.
>
> Am Fr., 5. Nov. 2021 um 15:39 Uhr schrieb Roberto Bottoni
> <r....@afterbit.com>:
>>
>> Hello,
>> I have little experience with encryption / decryption..
>>
>> for my web app I want to use Apache Shiro to login user, with salted
>> password ..
>>
>> this is the article I read :
>> http://shiro.apache.org/realm.html#Realm-HashingCredentials and the
>> code
>> to generate the salted password :
>>
>> import org.apache.shiro.crypto.hash.Sha256Hash;
>> import org.apache.shiro.crypto.RandomNumberGenerator;
>> import org.apache.shiro.crypto.SecureRandomNumberGenerator;
>> ...
>>
>> //We'll use a Random Number Generator to generate salts. This
>> //is much more secure than using a username as a salt or not
>> //having a salt at all. Shiro makes this easy.
>> //
>> //Note that a normal app would reference an attribute rather
>> //than create a new RNG every time:
>> RandomNumberGenerator rng = new SecureRandomNumberGenerator();
>> Object salt = rng.nextBytes();
>>
>> //Now hash the plain-text password with the random salt and multiple
>> //iterations and then Base64-encode the value (requires less space
>> than
>> Hex):
>> String hashedPasswordBase64 = new Sha256Hash(plainTextPassword, salt,
>> 1024).toBase64();
>>
>> User user = new User(username, hashedPasswordBase64);
>> //save the salt with the new account. The HashedCredentialsMatcher
>> //will need it later when handling login attempts:
>> user.setPasswordSalt(salt);
>> userDAO.create(user);
>>
>> This give me a encrypted password..
>> but how can I recover the plain text password?
>> It's possible?
>
> --
> Questo messaggio e' stato analizzato da Libraesva ESG ed e' risultato
> non infetto.
> This message was scanned by Libraesva ESG and is believed to be clean.
Re: Apache Shiro recover password
Posted by Benjamin Marwell <bm...@apache.org>.
Hi Robert,
Why do you think you need the plain text password?
Shiro matches the password supplied by subsequent authentication
attempts by going through the Sha256Hash algorithm again and comparing
the hashed outputs.
This way, you can safely[1] store the hash and salt without giving
away a user's password.
… or did you lose a password and need to recover it?
You can also just set a new one, if you did not encrypt anything using
your old password.
- Ben
[1] Sha256 + salt + iterations is a little bit outdated.
For Shiro 2, we decided to implement more advanced algorithms.
Am Fr., 5. Nov. 2021 um 15:39 Uhr schrieb Roberto Bottoni
<r....@afterbit.com>:
>
> Hello,
> I have little experience with encryption / decryption..
>
> for my web app I want to use Apache Shiro to login user, with salted
> password ..
>
> this is the article I read :
> http://shiro.apache.org/realm.html#Realm-HashingCredentials and the code
> to generate the salted password :
>
> import org.apache.shiro.crypto.hash.Sha256Hash;
> import org.apache.shiro.crypto.RandomNumberGenerator;
> import org.apache.shiro.crypto.SecureRandomNumberGenerator;
> ...
>
> //We'll use a Random Number Generator to generate salts. This
> //is much more secure than using a username as a salt or not
> //having a salt at all. Shiro makes this easy.
> //
> //Note that a normal app would reference an attribute rather
> //than create a new RNG every time:
> RandomNumberGenerator rng = new SecureRandomNumberGenerator();
> Object salt = rng.nextBytes();
>
> //Now hash the plain-text password with the random salt and multiple
> //iterations and then Base64-encode the value (requires less space than
> Hex):
> String hashedPasswordBase64 = new Sha256Hash(plainTextPassword, salt,
> 1024).toBase64();
>
> User user = new User(username, hashedPasswordBase64);
> //save the salt with the new account. The HashedCredentialsMatcher
> //will need it later when handling login attempts:
> user.setPasswordSalt(salt);
> userDAO.create(user);
>
> This give me a encrypted password..
> but how can I recover the plain text password?
> It's possible?