shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Manico <jim.man...@owasp.org>
Subject Re: Password doesn't match hashed and encrypted password
Date Sun, 20 Sep 2015 19:52:53 GMT
Using anything other than bcrypt, scrypt or PBKDF2 for password storage is usually a poor choice.
This advice from cryptographers is years old as well, this is not new advice.

New password advice says to avoid common password topologies... 

So Shiros current password system hangs on advice that was bad even 5 years ago or so.

--
Jim Manico
Global Board Member
OWASP Foundation
https://www.owasp.org
Join me at AppSecUSA 2015!

> On Sep 20, 2015, at 12:49 PM, martin.pring <martin@martinpring.com> wrote:
> 
> Hi!
> 
> I try to write a simple but yet secure login for a webportal but I'm stuck
> because I can't get Shiro to match a password stored in database with the
> password posted in the login form.
> 
> I store the user with the following code
> 
> private void saveUser(final User user, final String password) {
> 
>      final DefaultHashService hashService = new DefaultHashService();
>      hashService.setHashIterations(500000);
>      hashService.setHashAlgorithmName("SHA-256");
>      hashService.setGeneratePublicSalt(true);
>      hashService.setPrivateSalt(new
> SimpleByteSource("base64EncodedString"));
> 
>      final DefaultPasswordService passwordService = new
> DefaultPasswordService();
>      passwordService.setHashService(hashService);
> 
>      final String encryptedPassword =
> passwordService.encryptPassword(password);
> 
>      // Save password to user and store user i database
> }
> 
> Then when I try to login, this is my custom jdbcRealm
> 
> @Override
> protected AuthenticationInfo doGetAuthenticationInfo(final
> AuthenticationToken token) throws AuthenticationException {
> 
>    final UsernamePasswordToken upToken = (UsernamePasswordToken) token;
>    final String username = upToken.getUsername();
> 
>    Connection conn = null;
>    PreparedStatement statement = null;
>    ResultSet resultSet = null;
>    try {
>        conn = dataSource.getConnection();
>        statement = conn.prepareStatement(authenticationQuery);
>        statement.setString(1, username);
>        resultSet = statement.executeQuery();
> 
>        final String encryptedPassword = resultSet.getString(1);
> 
>        final SimpleAuthenticationInfo info = new
> SimpleAuthenticationInfo(username, encryptedPassword, getName());
> 
>        return info;
>    } catch (final SQLException e) {
>        throw new AuthenticationException("SQL error! : ", e);
>    } finally {
>        // Close Connection, PreparedStatement och ResultSet
>    }
> }
> 
> This is the part of shiro.ini that has to do with the passwordMatcher, hash-
> and passwordService
> 
> hashService = org.apache.shiro.crypto.hash.DefaultHashService
> hashService.hashIterations = 500000
> hashService.hashAlgorithmName = SHA-256
> hashService.generatePublicSalt = true
> # privateSalt needs to be base64-encoded in shiro.ini but not in the Java
> code
> hashService.privateSalt = base64EncodedSalt  (the same string as in the code
> above)
> 
> passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher
> passwordService = org.apache.shiro.authc.credential.DefaultPasswordService
> passwordService.hashService = $hashService
> passwordMatcher.passwordService = $passwordService
> 
> jdbcRealm = se.motoronline.login.server.realm.LoginJdbcRealm
> jdbcRealm.authenticationQuery = SELECT password FROM Users WHERE username =
> ?
> jdbcRealm.credentialsMatcher = $passwordMatcher
> 
> What am I doing wrong? The thing is, if I comment out the
> hashService.generatePublicSalt and hashService.privateSalt in shiro.ini
> everything works as it should and login succeeds, so it has to be something
> with the salts? Please explain what I'm doing wrong.
> 
> 
> 
> --
> View this message in context: http://shiro-developer.582600.n2.nabble.com/Password-doesn-t-match-hashed-and-encrypted-password-tp7578768.html
> Sent from the Shiro Developer mailing list archive at Nabble.com.

Mime
  • Unnamed multipart/alternative (inline, 7-Bit, 0 bytes)
View raw message