You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Joop Vriend <jo...@ddnh.nl> on 2013/08/13 19:47:30 UTC
Order of password and salt in Sha1Hash / SimpleHash?
Hi,
Can anyone tell me what the order of the password and the salt is in
Sha1Hash / SimpleHash? I mean, is the salt prefixed to the password
(salt+password) or the other way around (password+salt)? (I assume 1
iteration.) If I look at the source code (class SimpleHash), it looks
like salt+password right? :
342 protected byte[] hash(byte[] bytes, byte[] salt, int
hashIterations) throws UnknownAlgorithmException {
343 MessageDigest digest = getDigest(getAlgorithmName());
344 if (salt != null) {
345 digest.reset();
346 digest.update(salt);
347 }
348 byte[] hashed = digest.digest(bytes);
349 int iterations = hashIterations - DEFAULT_ITERATIONS;
//already hashed once above
350 //iterate remaining number:
351 for (int i = 0; i < iterations; i++) {
352 digest.reset();
353 hashed = digest.digest(hashed);
354 }
355 return hashed;
356 }
357
We have existing hashed (SHA-1) and salted passwords in a database.
Those values are a SHA-1 hash of password+salt. First we used
Sha1Hash.Sha1Hash(password, salt) when authenticating, but then the
values don't match. If we put it the other way around, so
Sha1Hash.Sha1Hash(salt, password), the values do match.
Thanks in advance, Joop.