lprimak commented on code in PR #186: URL: https://github.com/apache/shiro-site/pull/186#discussion_r1463873244
########## src/site/content/configuration.adoc: ########## @@ -439,40 +439,33 @@ Each line in the [users] section must conform to the following format: [#Configuration-INIConfiguration-Sections-users-EncryptingPasswords] ===== Encrypting Passwords -If you don't want the [users] section passwords to be in plain-text, you can encrypt them using your favorite hash algorithm (MD5, Sha1, Sha256, etc.) however you like and use the resulting string as the password value. By default, the password string is expected to be Hex encoded, but can be configured to be Base64 encoded instead (see below). +Since Shiro 2.0, the `[users]` section cannot contain plain-text passwords. +You can encrypt them using https://en.wikipedia.org/wiki/Key_derivation_function[key derivation functions]. +Shiro provides implementations for bcrypt and argon2. +If unsure, use argon2 derived passwords. + +The algorithms from Shiro 1 (e.g. md5, SHA1, SHA256, etc.) are long deemed insecure and not supported anymore. +There is neither a direct migration path nor backward compatibility. Review Comment: This is technically not true since Shiro 2 can encrypt / decrypt Shiro 1.x passwords. There is forward-and-backward path for compatibility as I tested this recently. This is a good thing IMHO. Currently, it takes some "finagling" to get working which I think is a good thing, it makes compatibility possibly but use Argon2 by default. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@shiro.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
