Here is a blog about the new algorithms in Benjamin Marwell’s blog: https://blog.bmarwell.de/2021/02/26/apache-shiro-implementing-new-password-hashing-algorithms.html
> On May 16, 2023, at 6:32 AM, Jakub Herkel <[email protected]> wrote: > > Hi, > > I tried an upcoming version of apache shiro (alpha 2) under Karaf and > I have some questions: > 1) We configure our application security with one config file (Shiro, > internal configuration) where we also want to setup a hash provider > and its configuration. But I don't see any way how I can setup cost > for bcrypt or parameter for argon2id if I want to use > DefaultPasswordService and DefaultHashService. Is there any way how to > do it? > 2) We would like to "upgrade" the hash if the hash provider was > changed (for example change bcrypt cost from 12 to 13). So when a user > is authorized we can also check if a new algorithm and an old > algorithm are the same. If they are, we will save a new computed hash. > But I don't know how to get an algorithm setup from the hash because > BCryptHash class isn't public. > > I appreciate for every advice you can give.
