[keycloak-dev] KEYCLOAK-1900 - Pluggable password hashing algorithm
Kunal K
kunal at plivo.com
Tue Nov 17 12:36:56 EST 2015
Oh yes SHA1 can certainly be compromised. I feel a better approach to
migrate existing passwords would be like:
BCrypt(SHA1(salt+password))
On Tue, Nov 17, 2015 at 9:18 PM, Bruno Oliveira <bruno at abstractj.org> wrote:
> What you mean is migrate from badly broken legacies like:
>
> MD5(salt + password)
> SHA1(salt +password)
>
> To BCrypt, Scrypt or PBKDF2? If yes, +1000000
>
> On Tue, Nov 17, 2015 at 1:07 PM Kunal K <kunal at plivo.com> wrote:
>
>> Hi all,
>>
>> I would like to start a discussion on how to implement -
>> https://issues.jboss.org/browse/KEYCLOAK-1900
>>
>> I have a django web app and all of my users are in a postgres database
>> with salted passwords hashed using SHA. I have been reading how I can use
>> UserFederation to implement by own credential validation, but the drawback
>> here would be that I'll have to keep maintaining my old database.
>>
>> For starters, I was thinking of replacing all occurrences of
>> Pbkdf2PasswordEncoder with an equivalent SHAPasswordEncoder, which is a
>> very crude approach and I'm not sure if it will even work. After some bit
>> of reading I saw this ticket -
>> https://issues.jboss.org/browse/KEYCLOAK-1900
>>
>> I would like to implement a custom hashing SPI and would love to get some
>> pointers on how to go about it.
>>
>> Thanks
>>
>> --
>> *KUNAL KERKAR *| PRODUCT ENGINEER
>> Plivo, Inc. 340 Pine St, San Francisco - 94104, USA
>> Web: www.plivo.com | Twitter: @plivo <http://twitter.com/plivo>, @tsudot
>> <http://twitter.com/tsudot>
>>
>> Free Incoming SMS for All US Short Codes – Get One Today!
>> <https://www.plivo.com/sms-short-code/?utm=emailsig>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
--
*KUNAL KERKAR *| PRODUCT ENGINEER
Plivo, Inc. 340 Pine St, San Francisco - 94104, USA
Web: www.plivo.com | Twitter: @plivo <http://twitter.com/plivo>, @tsudot
<http://twitter.com/tsudot>
Free Incoming SMS for All US Short Codes – Get One Today!
<https://www.plivo.com/sms-short-code/?utm=emailsig>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151117/0b4ac643/attachment.html
More information about the keycloak-dev
mailing list