Return-Path: X-Original-To: apmail-shiro-user-archive@www.apache.org Delivered-To: apmail-shiro-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 00AF3954A for ; Thu, 14 Mar 2013 00:57:47 +0000 (UTC) Received: (qmail 35775 invoked by uid 500); 14 Mar 2013 00:57:46 -0000 Delivered-To: apmail-shiro-user-archive@shiro.apache.org Received: (qmail 35754 invoked by uid 500); 14 Mar 2013 00:57:46 -0000 Mailing-List: contact user-help@shiro.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@shiro.apache.org Delivered-To: mailing list user@shiro.apache.org Received: (qmail 35746 invoked by uid 99); 14 Mar 2013 00:57:46 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 14 Mar 2013 00:57:46 +0000 X-ASF-Spam-Status: No, hits=3.0 required=5.0 tests=FORGED_YAHOO_RCVD,SPF_NEUTRAL,URI_HEX X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [216.139.236.26] (HELO sam.nabble.com) (216.139.236.26) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 14 Mar 2013 00:57:42 +0000 Received: from jim.nabble.com ([192.168.236.80]) by sam.nabble.com with esmtp (Exim 4.72) (envelope-from ) id 1UFwTy-00033h-1Y for user@shiro.apache.org; Wed, 13 Mar 2013 17:57:22 -0700 Date: Wed, 13 Mar 2013 17:57:22 -0700 (PDT) From: NabbleReallySucks To: user@shiro.apache.org Message-ID: <1363222642037-7578379.post@n2.nabble.com> In-Reply-To: References: <1363217587346-7578370.post@n2.nabble.com> Subject: Re: Question on hashing and cryptography. Not able to login MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org Thanks. Our code would do Key key = cipherService.generateNewKey(); ByteSource encryptedPassword = cipherService.encrypt(accountSecurity.getPassword().getBytes(), key.getEncoded()); accountSecurity.setSaltValue(new String(key.getEncoded())); accountSecurity.setPassword(encryptedPassword.toBase64()); accountService.save(accountSecurity); So I was assuming that each and every saved password would have a different key anyway. And we would save that key as the salt value. Our app will be for real money gambling, so it has to pass the standards committees rules. So I don't think SHA256 is enough to pass. So I guess I can implement my own matcher that decrypts using the Aes Cipher class. Thanks Mark -- View this message in context: http://shiro-user.582556.n2.nabble.com/Question-on-hashing-and-cryptography-Not-able-to-login-tp7578370p7578379.html Sent from the Shiro User mailing list archive at Nabble.com.