PBKDF2 will actually use a password to derive an encryption key (Password-Based Key Derivation Function 2), so I don't think it's what you're looking for. You'd put in a password and get out an encryption key, and I submitted a Jira for that a couple of weeks ago as that's a very useful function that Shiro doesn't have currently (you'd need something like BouncyCastle to do it right now).
I think what you're looking for instead is the PasswordService and PasswordMatcher (and related) classes, which became available in Shiro 1.1. Those create a random salt, combine it with the password, and then hash them ~50,000 times (many of the parameters are configurable) and can be saved safely in a database. There is a description of how to use these somewhere on the Shiro site (I think in the blog) that came out around that time, plus obviously the JavaDocs and maybe even a guide. They're really very easy to use. -- View this message in context: http://shiro-user.582556.n2.nabble.com/Password-hashing-with-PBKDF2-tp7577741p7577742.html Sent from the Shiro User mailing list archive at Nabble.com.
