bmarwell commented on PR #2475: URL: https://github.com/apache/shiro/pull/2475#issuecomment-3798079021
Hi, no salt needs to be nor can be supplied by the user. See: https://security.stackexchange.com/a/222746 The reason: argon2 and bcrypt and scrypt are NOT general purpose hashes. Hashes are meant to be fast, eg for checking data integrity. They were never meant to be used for passwords. This and adding a salt was always some kind of misuse and workaround. General purpose hashes: meant to be fast. Adding a salt protects against rainbow tables when misused for passwords. And that's why they need so many rounds. Password hashing algorithms (like scrypt, argon 2): meant to be memory hard or CPU hard or both, slow. Specifically for protecting passwords. Usually creating a random hash internally. So, yeah, don't supply user hashes. For the API, just ignore them. Add to the Java doc that they will be ignored for modern functions. sha1, md5 etc are to be removed in the future for this reason. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
