shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alan D. Cabrera" <>
Subject Re: Password and hash management
Date Fri, 05 Nov 2010 13:53:18 GMT

On Nov 5, 2010, at 9:34 AM, Alan D. Cabrera wrote:

> On Nov 5, 2010, at 12:27 AM, Les Hazlewood wrote:
>> The information used for Shiro to reconstitute the hash, such as # of
>> hash iterations is usually application wide and can be specified as a
>> configuration parameter in Shiro (e.g.
>> credentialsManager.numHashIterations = 2048).  The only reason I can
>> see for storing it in the salt directly is that you might want the #
>> of hash iterations to be unique per user.  Is this what you'd like to
>> support?

I am not advocating storing the hash number with the salt.

>> While this is possible, most applications that would ever change that
>> number end up doing it on a periodic basis system-wide, for example,
>> once a week or once a month for all accounts.  I'm not sure if
>> per-user values would be 'worth it', but I'm totally open on this and
>> would love to see what you guys think.

I think that here is the crux of one of our disconnects.  This "key" which we are now calling
"index" is not per user.  It's per "algorithm".

Also, it's extremely helpful to have this facility when the hashes or encryptions go out into
the wild and are long lived.


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message