If you're doing the hashing yourself and storing them somewhere, consider using something other than SHA*.
Take a look at these articles. http://codahale.com/how-to-safely-store-a-password/ http://www.unlimitednovelty.com/2012/03/dont-use-bcrypt.html My understanding is that SHA* are designed for speed which ultimately aids brute force attacks. Something like Bcrypt or even better PBKDF2 mitigates this. I'm not an expert though, Les will probably have a better view. On 14 January 2014 02:32, Les Hazlewood <[email protected]> wrote: > Hi Richard, yes, if you can't configure the LDAP server to be aware of > iterations/complexity, then I think doing the matching at the Realm level > (with a PasswordMatcher) would be good. > > HTH! > > -- > Les Hazlewood | @lhazlewood > CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282 > > > On Mon, Jan 13, 2014 at 5:11 PM, Richard Mixon <[email protected]> wrote: > >> Les, I've actually got the Shiro real working - with either SSHA or >> SSHA256. But not looks like either of the ldap server's built-in bind >> functions do not allow you to specify how many hash iterations to compute, >> only the algorithm to use. So I guess that means I just do an LDAP search >> instead of a bind and do the matching in my realm logic. >> >> Or am I missing something? >> >> Thanks! >> >> Sent from my iPhone >> >> On Jan 13, 2014, at 16:20, Les Hazlewood <[email protected]> wrote: >> >> Hi Richard, >> >> If I understand correctly, your challenge is that you want to configure >> the LDAP server of choice to compute SSHA256? And then to have Shiro read >> in that record, look at the hashed value and then do the comparison? >> >> Best, >> >> Les >> >> On Mon, Jan 13, 2014 at 8:54 AM, rnmixon <[email protected]> wrote: >> >>> A bit more info ... >>> >>> We are putting together a small outward facing portal - implementing an >>> LDAP >>> directory is part of that effort (we use Microsoft AD for internal >>> users). >>> >>> At this point we've written the PHP plugin for our Wordpress site to >>> authenticate external partners via the LDAP directory and internal >>> users/employees using our Microsoft Active Directory. I'm doing the same >>> for >>> the two Java applications that need to be integrated. >>> >>> Currently, I'm trying to meet a new requirement I received last week to >>> use >>> SSHA256 instead of SSHA and to use a high number of hashing iterations as >>> Les' article suggested. >>> >>> In theory Openldap can do this using the sha2 plugin, but it's been slow >>> getting it to work - after quite a few years it has not been included in >>> the >>> base product's plugin set - and there appear to be some philosophical >>> wars >>> as to whether more advanced hashes can or should be included in the core >>> product plugins. >>> >>> So at this point I've allocated a day (today) to look at the Fedora 389 >>> Directory Server and see if it offers a smoother path. So far that seems >>> to >>> be the case, but I'm not all the way there yet. >>> >>> Any thoughts or suggestions on a better path? This is a first step for >>> us - >>> I'm sure we'll evaluate and reconsider after it's implemented. >>> >>> Thank you - Richard >>> >>> >>> >>> -- >>> View this message in context: >>> http://shiro-user.582556.n2.nabble.com/Implementing-strong-password-hashing-with-Shiro-and-Openldap-tp7579496p7579498.html >>> Sent from the Shiro User mailing list archive at Nabble.com. >>> >> >> >
