dstarh
Reputation: 5076
Hashing and Salting passwords with shiro
In apache shiro the default hash implementation is as follows:
MessageDigest digest = getDigest(getAlgorithmName());
if (salt != null) {
digest.reset();
digest.update(salt);
}
byte[] hashed = digest.digest(bytes);
int iterations = hashIterations - 1; //already hashed once above
//iterate remaining number:
for (int i = 0; i < iterations; i++) {
digest.reset();
hashed = digest.digest(hashed);
}
return hashed;
Notice how it puts the salt first. We are having to authenticate against a legacy system where the hashes were password + salt and not salt+password
I'm currently doing the concat outside this method call and passing null in for the salt. Aside from subclassing and overriding this method is there a better way than what I'm having to do?
Upvotes: 3
Views: 1088
Answers (1)
dstarh
Reputation: 5076
It turns out subclassing SimpleHash and overriding one method did the trick. Just reset the digest, add the salt then the pw and then digest it and it works fine
Upvotes: 2
Related Questions
- newbie question : Apache Shiro recover password
- Hashing and Salting Passwords with Spring Security 3
- Apache Shiro HashedCredentialsMatcher generates wrong salt
- Apache Shiro salt hashed password
- Java salted password hashing
- Apache Shiro - password format issue
- shiro with jdbc and hashed passwords
- How to use the Shiro's SaltedAuthenticationInfo?
- Hashing password using salt
- Hashed and Salted Password is not always the same