i using apache shiro security layer in spring app , encountering weird situation.
firstly, how security system set up. when user registers password hashed securely generated random salt. salt , hashed password stored in db. works 100% when register , login works great too, couple of days go , hashed passwords aren't matching longer. here code:
import org.apache.shiro.codec.base64; import org.apache.shiro.crypto.hash.sha256hash; public static void main(string[] args) { string plainpassword = "testing"; string salt = "8aftpriretydsg39+37rqhnryvzluxqyxygwxi55f1pbhbuqsefgclkshpa6thzks3uqennjhksqcv5oancr9lqixmmyc8duqr2aqaqyjlkpnmvlb69jj7emnq0k6ccfbdv/o4jgt2u689leng6cqn+9kqw2gbgt2civolapa34="; system.out.println(new sha256hash(plainpassword.tochararray(), base64.decode(salt), 1024).tobase64()); } the resulting hashed password is:
b8vlt/ekv8f5kwdjrgdkm+pavqc8sk7ooflt91juaxa= but password have in database, working , generated exact same salt couple of days ago was:
xznbnlua8vrqq0qy5bbketzztzztgrth2kzkijqdilu= so can imagine, stumped. know if doing wrong? or if have left step out.
update 1: after registering new user in system, looks other users in system have passwords changed reason. has nothing way password hash generated , more database access layer.
it seems problem unrelated hashing , salting. sending improper queries update unwanted records.
but i'll throw in advice salting - use different salt every user. otherwise passwords not secure. imagine happens if obtains salt , database. in while (could weeks, it's not much) able generate rainbow table , have of passwords. while if use different salt, have generate many rainbow tables number of users.
Comments
Post a Comment