Just to clarify what I said. You *could* use PBKDF2 to encrypt your passwords, as it would certainly work and works well at that, and people have used it for that purpose. However, that's not something that's in Shiro as-is, but the PasswordService does the same thing in an almost identical way (hashing instead of "ciphering"), and the end result is identical, i.e., a password you can safely store that would be infeasible to crack.
If you're interested, below is a small snippet of code that I put together to create a PBKDF2 key, which I later use with Shiro's built-in crypto to encrypt/decrypt data. In this, salt and pwd are both Strings. The difference between what I'm doing and what you're trying to do is that I'm just getting the key, but at this point the key doesn't have any IVs in it (I put those in later with Shiro itself). You may also want to check out the link I'll post at the end, which has more info (but without Shiro). The non-Shiro parts of this are standard Java, and you can see he's using the code to encrypt something with IVs. And the link: http://nelenkov.blogspot.com/2012/04/using-password-based-encryption-on.html -- View this message in context: http://shiro-user.582556.n2.nabble.com/Password-hashing-with-PBKDF2-tp7577741p7577749.html Sent from the Shiro User mailing list archive at Nabble.com.
