By salted passwords using SHA1, do you mean something like:

hash(salt + password) ?

If yes, hashes like SHA for example, were designed to be fast and can be broken with much less computational power than BCrypt, PBKDF2 or Scrypt for example.

On Tue, Nov 17, 2015 at 1:07 PM Kunal K <kunal@plivo.com> wrote:

Hi all,

I would like to start a discussion on how to implement - https://issues.jboss.org/browse/KEYCLOAK-1900

I have a django web app and all of my users are in a postgres database with salted passwords hashed using SHA. I have been reading how I can use UserFederation to implement by own credential validation, but the drawback here would be that I'll have to keep maintaining my old database.

For starters, I was thinking of replacing all occurrences of Pbkdf2PasswordEncoder with an equivalent SHAPasswordEncoder, which is a very crude approach and I'm not sure if it will even work. After some bit of reading I saw this ticket - https://issues.jboss.org/browse/KEYCLOAK-1900

I would like to implement a custom hashing SPI and would love to get some pointers on how to go about it.

Thanks

--
KUNAL KERKAR | PRODUCT ENGINEER
Plivo, Inc. 340 Pine St, San Francisco - 94104, USA
Web: www.plivo.com | Twitter: @plivo, @tsudot

Free Incoming SMS for All US Short Codes – Get One Today!

_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev