Is there an interest in password hashing with PBKDF2? I know Shiro's
HashedCredentialsMatcher also works by repeatedly applying a hash function,
and you can configure it to generate a password hash with a similar
cryptographic strength. Hypothetically, I might want to tell a security
auditor the story:
"We hash passwords using PBKDF2 with HMAC-SHA1 as the pseudorandom
function as specified in RFC 2898. Instead of rolling our own
implementation, we call the PBKDF2WithHmacSHA1 implementation that ships in
the Java runtime starting with Java 1.6."
If there's an interest in adding a PBKDF2 CredentialsMatcher, I can create
a Jira issue and submit a patch.
