Hi Shiro Users, I’ve got a few questions on password hashing and migration.
Looking at the docs: https://shiro.apache.org/static/1.2.3/apidocs/org/apache/shiro/crypto/hash/SimpleHash.html indicates support for a number of hash algorithms.
Of these, MD2 and MD5 are definitely broken and SHA1 is pretty broken. I think we should probably remove "While most applications are ok with either of these two,” from the docs at this point.
Has anyone looked at using stronger hash algorithms? (i.e BLAKE2). Is it simply a case of making use of a library like Bouncy Castle to ?
In terms of key derivation functions (PKBDF, Argon2, crypt, scrypt) is there any support in Shiro / work on supporting it? Currently it looks like the only support is for iterations in constructing a hash.
I’m assuming migration between hash functions is something that would have to be implemented outside Shiro.
If it’s just a Bouncy Castle requirement would it be worth updating the https://shiro.apache.org/cryptography-features.html page to add documentation on how to integrate with Bouncy Castle, rather than list MD5 and SHA-1 as core features.
Thanks in advance, Best regards, Philip Whitehouse
