sure....I wasn't being specific to you on paranoia, it was meant as a light hearted view on the world of hacking.
Think of it this way. MD5 and SHA 1 are done for security, they still have uses, but not for password. SHA 2 is limited for password protection, but with a good long random salt, it's still pretty good. If you want to protect a new online cat database you could be happy with SHA 2 + salt. If you are protecting more sensitive or more prized data then move on to bcrypt. good luck -d On 18 September 2014 00:04, Konrad Zuse <[email protected]> wrote: > It's not paranoia more so than what I have been reading, where people say > that SHA shold never be used for passwords....... As I said I'm new to > cryptography, so I'm just trying to get my facts straight is all. > > I will most likely go with the defaults for now, but a port for Shiro > would be nice. > > ------------------------------ > Date: Wed, 17 Sep 2014 22:56:38 +0100 > Subject: RE: Has anyone tried the Shiro 2.0 branch? > From: [email protected] > To: [email protected] > > > How good is sha 256? How paranoid are you? If not much, it is great, if a > lot, move to bcrypt. But sha 256 is good enough for most. If financial data > is involved, or other sensitive data, look to bcrypt > As for using spring security bcrypt, it was meant as an example of simple > abstraction. You could use bcrypt directly. Or port it to a Shiro > abstraction. > d > On 17 Sep 2014 22:33, "Konrad Zuse" <[email protected]> wrote: > > I was curious if we will be getting better hashing algorithms? I'm new to > Cryptography and such, but I was reading somethng last nigth saying that > SHA isn't really secure for passing and we should be using either bcrypt, > scrypt, or PK2BK? > > Someone made a post about spring security and bcrpyt, but I rather not mix > it with Shiro if possible... Would be nice to have these features. From > the documentation it's shown to use SHA-256 for passwords and a password > matcher, but how secure is it? > > I would love to help out with improving the library, but I don't know if I > will be of any help as a semi-noobie :(. > > Thanks for everything Lez! > > > Date: Wed, 17 Sep 2014 13:14:11 -0700 > > Subject: Re: Has anyone tried the Shiro 2.0 branch? > > From: [email protected] > > To: [email protected] > > > > Hi Paul, > > > > I'm not sure if they'll still work or not, as I haven't tested. I'd > > *like* to ensure that they still work, or better yet, include the JEE > > interceptor support directly in Shiro. If anyone would like to help > > with this effort, I'm sure the dev team would appreciate it! > > > > Les > > > > > > On Sun, Sep 14, 2014 at 2:42 AM, Paul Holding <[email protected]> > wrote: > > > Hi Les > > > > > > Looking through the release notes I didn't see any mention of CDI, > JSF, or > > > Jave EE Interceptors so I was wondering whether some of the existing > > > enhancements that have been created by the community are likely to > still > > > work with Shiro 2.0. > > > > > > For CDI and JSF I'm using Pax Shiro ( > > > https://github.com/ops4j/org.ops4j.pax.shiro > > > <https://github.com/ops4j/org.ops4j.pax.shiro> ). > > > > > > For Java EE Interceptors I'm using some code from BalusC's blog ( > > > > http://balusc.blogspot.co.uk/2013/01/apache-shiro-is-it-ready-for-java-ee-6.html#DeclarativeRestrictionInBeanMethods > > > < > http://balusc.blogspot.co.uk/2013/01/apache-shiro-is-it-ready-for-java-ee-6.html#DeclarativeRestrictionInBeanMethods > > > > > ) > > > > > > Do you think these are likely to still work in Shiro 2.0? > > > > > > Kind Regards > > > > > > Paul > > > > > > > > > > > > -- > > > View this message in context: > http://shiro-user.582556.n2.nabble.com/Has-anyone-tried-the-Shiro-2-0-branch-tp7580195p7580212.html > > > Sent from the Shiro User mailing list archive at Nabble.com. > >
