Hi Oncle,
I don't think it is dangerous to store the algorithm/iterations as storing
this does not enable an easy brute force dictionary attack.
Sorry I don't really understand the second part of your question. I set up
a password service as follows:
ByteSource pepper = ByteSource.Util.bytes(...);
DefaultHashService hashService = new DefaultHashService();
hashService.setHashAlgorithmName(...);
hashService.setHashIterations(...);
hashService.setGeneratePublicSalt(...);
hashService.setPrivateSalt(...);
DefaultPasswordService passwordService = new
DefaultPasswordService();
passwordService.setHashService(hashService);
HashFormatFactory hashFormatFactory =
passwordService.getHashFormatFactory();
Cheers,
Stuart
On Fri, Sep 18, 2015 at 12:14 PM, Oncle Zebulon <[email protected]>
wrote:
> Hi Stuart,
> Thx for reply !
> Isn't it dangerous to store the algo and the iteration ? An attacker should
> be glad to have those informations !
> No?
>
> What do you think about the second part of my mail ? It seams in the
> JdbcReam.doGetAuthenticationInfo()
> if (salt != null) {
> info.setCredentialsSalt(ByteSource.Util.bytes(salt));
> }
>
> The salt is well get back from the database but here modified. Do i use
> well
> the tool??
> Regards
>
>
>
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/Store-hash-and-salt-in-a-database-tp7580766p7580769.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
