Question:
How can they easily be broken? If somebody gets the password database?
On 1/22/2014 7:55 AM, Bruno Oliveira wrote:
Good morning guys, as a suggestion to improve the way how the
passwords have been stored in nowadays I did some changes to support PBKDF2[1] (we have
been doing the same thing on AeroGear for mobile devices), into this way is possible to
prevent rainbow tables and brute force attacks like HashCat does for example.
I'm completely fine on adding bcrypt as long as we include some KDF, I just
didn't that because I would like to hear some feedback before move forward, not sure
if makes sense but my suggestion is to remove SHA-* encoders because they can be easily
broken and replace by the support for PBKDF2 and bcrypt only.
What do you think? Let me know if I should move forward or that doesn't fit.
[1] -
https://github.com/keycloak/keycloak/pull/171
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com