You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@shiro.apache.org by Joop Vriend <jo...@ddnh.nl> on 2013/08/13 19:47:30 UTC

Order of password and salt in Sha1Hash / SimpleHash?

Hi,

Can anyone tell me what the order of the password and the salt is in
Sha1Hash / SimpleHash? I mean, is the salt prefixed to the password
(salt+password) or the other way around (password+salt)? (I assume 1
iteration.) If I look at the source code (class SimpleHash), it looks
like salt+password right? :

342    protected byte[] hash(byte[] bytes, byte[] salt, int
hashIterations) throws UnknownAlgorithmException {
343        MessageDigest digest = getDigest(getAlgorithmName());
344        if (salt != null) {
345            digest.reset();
346            digest.update(salt);
347        }
348        byte[] hashed = digest.digest(bytes);
349        int iterations = hashIterations - DEFAULT_ITERATIONS;
//already hashed once above
350        //iterate remaining number:
351        for (int i = 0; i < iterations; i++) {
352            digest.reset();
353            hashed = digest.digest(hashed);
354        }
355        return hashed;
356    }
357

We have existing hashed (SHA-1) and salted passwords in a database.
Those values are a SHA-1 hash of password+salt. First we used
Sha1Hash.Sha1Hash(password, salt) when authenticating, but then the
values don't match. If we put it the other way around, so
Sha1Hash.Sha1Hash(salt, password), the values do match.

Thanks in advance, Joop.