shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Kogan (JIRA)" <>
Subject [jira] Commented: (SHIRO-213) Password and hash management
Date Tue, 02 Nov 2010 22:04:26 GMT


Michael Kogan commented on SHIRO-213:

Some thoughts as I am working on this for my project.

It is undesirable to store the number of hash iterations and to a lesser degree hash algorithm
with the credentials.
I realize this is security-by-obscurity, but sometimes obscurity is enough.

Use version information stored with the credentials, with the code interpreting the version's
mapping to hashing algorithm and number of iterations.


  * Add version to  SaltedAuthenticationInfo or create VersionedSaltedAuthenticationInfo
  * Hashed credentials matcher uses the version to look up the hashing algorithm and number
of hash iterations in HashingManager
  * Create HashingManager class that given a version can return the hashing algorithm and
number of hash iterations
  * Add HashingManager to SecurityManager, allow it to be configured programtically or through

Any thoughts?

> Password and hash management
> ----------------------------
>                 Key: SHIRO-213
>                 URL:
>             Project: Shiro
>          Issue Type: New Feature
>            Reporter: Alan Cabrera
> Sometimes secure hashes are long lived.  I usually will hash something but prefix the
string to be hashed with a secret password; I will usually add a bit of salt too. Often I
will need to change the password to that hash on a periodic basis. Sometimes I find out that
a particular hash algorithm is no longer secure and need to change my hash.  What do I do
with the old hashes?  How can I tell them apart from the new ones?
> What I do is store the hashes as tuples which contain enough information my code to figure
out what hash to use.  All of this applies to encryption as well.
> I'm wondering is if we should provide some kind of manager to manage all this. 

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message