+1 We should probably mark the older ones deprecated as well On Tue, Mar 27, 2018 at 9:01 PM, Philip Whitehouse <[email protected]> wrote:
> Hi Shiro Users, > > I’ve got a few questions on password hashing and migration. > > Looking at the docs: https://shiro.apache.org/stati > c/1.2.3/apidocs/org/apache/shiro/crypto/hash/SimpleHash.html indicates > support for a number of hash algorithms. > > Of these, MD2 and MD5 are definitely broken and SHA1 is pretty broken. I > think we should probably remove "While most applications are ok with either > of these two,” from the docs at this point. > > Has anyone looked at using stronger hash algorithms? (i.e BLAKE2). Is it > simply a case of making use of a library like Bouncy Castle to ? > > In terms of key derivation functions (PKBDF, Argon2, crypt, scrypt) is > there any support in Shiro / work on supporting it? Currently it looks like > the only support is for iterations in constructing a hash. > > I’m assuming migration between hash functions is something that would have > to be implemented outside Shiro. > > If it’s just a Bouncy Castle requirement would it be worth updating the > https://shiro.apache.org/cryptography-features.html page to add > documentation on how to integrate with Bouncy Castle, rather than list MD5 > and SHA-1 as core features. > > Thanks in advance, > > Best regards, > Philip Whitehouse >
