You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Minas Manthos <mi...@gmail.com> on 2012/12/11 11:38:04 UTC
Re: Command Line Hasher Private Salts
Regarding your second question: just write your own CryptFormat (see
Shiro1CryptFormat), shouldn't be a big deal.
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Command-Line-Hasher-Private-Salts-tp7578019p7578036.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Command Line Hasher Private Salts
Posted by Les Hazlewood <lh...@apache.org>.
Just a note: the default Shiro1CryptFormat is a Modular Crypt Format (MCF)
that outputs the _hashed_ password (not the actual password), in addition
to the information used to compute the hash. This additional information
is used later during the password comparison process.
The reason why MCF formats are beneficial is that information in the format
can be parsed at a later time (e.g. during password comparisons) to
discover the original hash parameters. Those hash parameters are then used
to compute a hash for a submitted password during an authentication attempt
(and then the two outputs are compared - if equal, then authentication was
successful). This means that even if you change your PasswordService
hashing parameters today, hashes created yesterday can still be used for
hash comparisons.
If you don't use an MCF-formatted output, if you change your
PasswordService hashing parameters today, all of your previously hashed
passwords will no longer work and those accounts couldn't log in. You'd
instantly invalidate all account passwords unless you had a historical
record somewhere else (another file? another db table?) of those parameters.
HTH,
--
Les Hazlewood | @lhazlewood
CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
Stormpath wins GigaOM Structure Launchpad Award! http://bit.ly/MvZkMk
On Tue, Dec 11, 2012 at 2:38 AM, Minas Manthos <mi...@gmail.com>wrote:
> Regarding your second question: just write your own CryptFormat (see
> Shiro1CryptFormat), shouldn't be a big deal.
>
>
>
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/Command-Line-Hasher-Private-Salts-tp7578019p7578036.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>