You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Oncle Zebulon <on...@gmail.com> on 2015/09/18 11:34:00 UTC
Store hash and salt in a database
Hi everybody,
Just a little question : what is the best way to store hash/salt in a
database ?
A user table with
- hash and salt columns and then use HashedCredentialsMatcher (for example)
OR
- password column and then use PasswordMatcher (pass generated by the hasher
tool)
- something else...
salt must be hashed too
BTW, i notice that when i use the hasher tool
java -jar shiro-tools-hasher-1.2.4-cli.jar -p -s mySalt -ngs -i 200000 -a
SHA-512
and then i "copy/paste" the hashed salt and the hashed password into the
salt and hash columns, the login failed. It works well only if i copy/paste
the salt in plaintext (mySalt in the example)... It means that to work, i
must reused the tool with the hashed salt. Then putting the hashed salt of
the first step in the salt colum and the hashed password of the second step
into the hash column, it works ! Strange... ?
Regards
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Store-hash-and-salt-in-a-database-tp7580766.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Store hash and salt in a database
Posted by Stuart Broad <st...@moogsoft.com>.
Hi Oncle,
I don't think it is dangerous to store the algorithm/iterations as storing
this does not enable an easy brute force dictionary attack.
Sorry I don't really understand the second part of your question. I set up
a password service as follows:
ByteSource pepper = ByteSource.Util.bytes(...);
DefaultHashService hashService = new DefaultHashService();
hashService.setHashAlgorithmName(...);
hashService.setHashIterations(...);
hashService.setGeneratePublicSalt(...);
hashService.setPrivateSalt(...);
DefaultPasswordService passwordService = new
DefaultPasswordService();
passwordService.setHashService(hashService);
HashFormatFactory hashFormatFactory =
passwordService.getHashFormatFactory();
Cheers,
Stuart
On Fri, Sep 18, 2015 at 12:14 PM, Oncle Zebulon <on...@gmail.com>
wrote:
> Hi Stuart,
> Thx for reply !
> Isn't it dangerous to store the algo and the iteration ? An attacker should
> be glad to have those informations !
> No?
>
> What do you think about the second part of my mail ? It seams in the
> JdbcReam.doGetAuthenticationInfo()
> if (salt != null) {
> info.setCredentialsSalt(ByteSource.Util.bytes(salt));
> }
>
> The salt is well get back from the database but here modified. Do i use
> well
> the tool??
> Regards
>
>
>
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/Store-hash-and-salt-in-a-database-tp7580766p7580769.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
Re: Store hash and salt in a database
Posted by Oncle Zebulon <on...@gmail.com>.
Hi Stuart,
Thx for reply !
Isn't it dangerous to store the algo and the iteration ? An attacker should
be glad to have those informations !
No?
What do you think about the second part of my mail ? It seams in the
JdbcReam.doGetAuthenticationInfo()
if (salt != null) {
info.setCredentialsSalt(ByteSource.Util.bytes(salt));
}
The salt is well get back from the database but here modified. Do i use well
the tool??
Regards
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Store-hash-and-salt-in-a-database-tp7580766p7580769.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Store hash and salt in a database
Posted by Stuart Broad <st...@moogsoft.com>.
Hi Oncle,
Sorry I meant to paste this link:
https://shiro.apache.org/static/1.2.1/apidocs/org/apache/shiro/crypto/hash/format/Shiro1CryptFormat.html
Cheers,
Stuart
On Fri, Sep 18, 2015 at 10:49 AM, Stuart Broad <st...@moogsoft.com> wrote:
> Hi,
>
> These links might be useful:
>
>
> https://shiro.apache.org/static/1.2.3/apidocs/org/apache/shiro/authc/credential/HashedCredentialsMatcher.html
>
>
> https://shiro.apache.org/static/1.2.3/apidocs/org/apache/shiro/authc/credential/HashedCredentialsMatcher.html
>
> https://pythonhosted.org/passlib/modular_crypt_format.html
>
> I think using the MCF format is a good idea as it means the passwords can
> be automatically re-encrypted later if you change the algorithm.
>
> Cheers,
>
> Stuart
>
> On Fri, Sep 18, 2015 at 10:34 AM, Oncle Zebulon <on...@gmail.com>
> wrote:
>
>> Hi everybody,
>>
>> Just a little question : what is the best way to store hash/salt in a
>> database ?
>> A user table with
>> - hash and salt columns and then use HashedCredentialsMatcher (for
>> example)
>> OR
>> - password column and then use PasswordMatcher (pass generated by the
>> hasher
>> tool)
>> - something else...
>>
>> salt must be hashed too
>>
>> BTW, i notice that when i use the hasher tool
>> java -jar shiro-tools-hasher-1.2.4-cli.jar -p -s mySalt -ngs -i 200000 -a
>> SHA-512
>> and then i "copy/paste" the hashed salt and the hashed password into the
>> salt and hash columns, the login failed. It works well only if i
>> copy/paste
>> the salt in plaintext (mySalt in the example)... It means that to work, i
>> must reused the tool with the hashed salt. Then putting the hashed salt of
>> the first step in the salt colum and the hashed password of the second
>> step
>> into the hash column, it works ! Strange... ?
>>
>> Regards
>>
>>
>>
>>
>> --
>> View this message in context:
>> http://shiro-user.582556.n2.nabble.com/Store-hash-and-salt-in-a-database-tp7580766.html
>> Sent from the Shiro User mailing list archive at Nabble.com.
>>
>
>
Re: Store hash and salt in a database
Posted by Stuart Broad <st...@moogsoft.com>.
Hi,
These links might be useful:
https://shiro.apache.org/static/1.2.3/apidocs/org/apache/shiro/authc/credential/HashedCredentialsMatcher.html
https://shiro.apache.org/static/1.2.3/apidocs/org/apache/shiro/authc/credential/HashedCredentialsMatcher.html
https://pythonhosted.org/passlib/modular_crypt_format.html
I think using the MCF format is a good idea as it means the passwords can
be automatically re-encrypted later if you change the algorithm.
Cheers,
Stuart
On Fri, Sep 18, 2015 at 10:34 AM, Oncle Zebulon <on...@gmail.com>
wrote:
> Hi everybody,
>
> Just a little question : what is the best way to store hash/salt in a
> database ?
> A user table with
> - hash and salt columns and then use HashedCredentialsMatcher (for example)
> OR
> - password column and then use PasswordMatcher (pass generated by the
> hasher
> tool)
> - something else...
>
> salt must be hashed too
>
> BTW, i notice that when i use the hasher tool
> java -jar shiro-tools-hasher-1.2.4-cli.jar -p -s mySalt -ngs -i 200000 -a
> SHA-512
> and then i "copy/paste" the hashed salt and the hashed password into the
> salt and hash columns, the login failed. It works well only if i copy/paste
> the salt in plaintext (mySalt in the example)... It means that to work, i
> must reused the tool with the hashed salt. Then putting the hashed salt of
> the first step in the salt colum and the hashed password of the second step
> into the hash column, it works ! Strange... ?
>
> Regards
>
>
>
>
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/Store-hash-and-salt-in-a-database-tp7580766.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>