Hi Robert, Why do you think you need the plain text password? Shiro matches the password supplied by subsequent authentication attempts by going through the Sha256Hash algorithm again and comparing the hashed outputs.
This way, you can safely[1] store the hash and salt without giving away a user's password. … or did you lose a password and need to recover it? You can also just set a new one, if you did not encrypt anything using your old password. - Ben [1] Sha256 + salt + iterations is a little bit outdated. For Shiro 2, we decided to implement more advanced algorithms. Am Fr., 5. Nov. 2021 um 15:39 Uhr schrieb Roberto Bottoni <r.bott...@afterbit.com>: > > Hello, > I have little experience with encryption / decryption.. > > for my web app I want to use Apache Shiro to login user, with salted > password .. > > this is the article I read : > http://shiro.apache.org/realm.html#Realm-HashingCredentials and the code > to generate the salted password : > > import org.apache.shiro.crypto.hash.Sha256Hash; > import org.apache.shiro.crypto.RandomNumberGenerator; > import org.apache.shiro.crypto.SecureRandomNumberGenerator; > ... > > //We'll use a Random Number Generator to generate salts. This > //is much more secure than using a username as a salt or not > //having a salt at all. Shiro makes this easy. > // > //Note that a normal app would reference an attribute rather > //than create a new RNG every time: > RandomNumberGenerator rng = new SecureRandomNumberGenerator(); > Object salt = rng.nextBytes(); > > //Now hash the plain-text password with the random salt and multiple > //iterations and then Base64-encode the value (requires less space than > Hex): > String hashedPasswordBase64 = new Sha256Hash(plainTextPassword, salt, > 1024).toBase64(); > > User user = new User(username, hashedPasswordBase64); > //save the salt with the new account. The HashedCredentialsMatcher > //will need it later when handling login attempts: > user.setPasswordSalt(salt); > userDAO.create(user); > > This give me a encrypted password.. > but how can I recover the plain text password? > It's possible?
