Hi Ben,
the fact that : "..This is possible only in theory and/or with a lot of
money..." it's the more important thing !
well, i set a new password..
thank you!
Bye!
R.
Il 06-11-2021 21:06 Benjamin Marwell ha scritto:
Hello Roberto!
This is possible only in theory and/or with a lot of money.
You can use hacking tools which run on your GPU, but even then it
might take years to find it.
And that is exactly the point: Password-based key derivation functions
are designed to create an in-revertable hash.
Shiro 2.0 will use even better KDFs like Argon2 or bcrypt/script,
which require a vast amount of memory and cpu to make attacks not
feasible.
If you have access to the database where you stored the password, I
would just set a new password and forget about the old one, if
possible.
Best regards,
Ben
Am Sa., 6. Nov. 2021 um 10:39 Uhr schrieb Roberto Bottoni
<r.bott...@afterbit.com>:
Hi Ben,
yes!.. the case is : ...or did you lose a password and need to
recover
it?
How can i do that ?
Roberto
Il 05-11-2021 21:41 Benjamin Marwell ha scritto:
> Hi Robert,
>
> Why do you think you need the plain text password?
> Shiro matches the password supplied by subsequent authentication
> attempts by going through the Sha256Hash algorithm again and comparing
> the hashed outputs.
>
> This way, you can safely[1] store the hash and salt without giving
> away a user's password.
>
> … or did you lose a password and need to recover it?
>
> You can also just set a new one, if you did not encrypt anything using
> your old password.
>
> - Ben
>
> [1] Sha256 + salt + iterations is a little bit outdated.
> For Shiro 2, we decided to implement more advanced algorithms.
>
> Am Fr., 5. Nov. 2021 um 15:39 Uhr schrieb Roberto Bottoni
> <r.bott...@afterbit.com>:
>>
>> Hello,
>> I have little experience with encryption / decryption..
>>
>> for my web app I want to use Apache Shiro to login user, with salted
>> password ..
>>
>> this is the article I read :
>> http://shiro.apache.org/realm.html#Realm-HashingCredentials and the
>> code
>> to generate the salted password :
>>
>> import org.apache.shiro.crypto.hash.Sha256Hash;
>> import org.apache.shiro.crypto.RandomNumberGenerator;
>> import org.apache.shiro.crypto.SecureRandomNumberGenerator;
>> ...
>>
>> //We'll use a Random Number Generator to generate salts. This
>> //is much more secure than using a username as a salt or not
>> //having a salt at all. Shiro makes this easy.
>> //
>> //Note that a normal app would reference an attribute rather
>> //than create a new RNG every time:
>> RandomNumberGenerator rng = new SecureRandomNumberGenerator();
>> Object salt = rng.nextBytes();
>>
>> //Now hash the plain-text password with the random salt and multiple
>> //iterations and then Base64-encode the value (requires less space
>> than
>> Hex):
>> String hashedPasswordBase64 = new Sha256Hash(plainTextPassword, salt,
>> 1024).toBase64();
>>
>> User user = new User(username, hashedPasswordBase64);
>> //save the salt with the new account. The HashedCredentialsMatcher
>> //will need it later when handling login attempts:
>> user.setPasswordSalt(salt);
>> userDAO.create(user);
>>
>> This give me a encrypted password..
>> but how can I recover the plain text password?
>> It's possible?
>
> --
> Questo messaggio e' stato analizzato da Libraesva ESG ed e' risultato
> non infetto.
> This message was scanned by Libraesva ESG and is believed to be clean.
--
Questo messaggio e' stato analizzato da Libraesva ESG ed e' risultato
non infetto.
This message was scanned by Libraesva ESG and is believed to be clean.
