[keycloak-user] Proposal: More Secure PassowrdHashProviders

My company has a client whose security prerequisites require us to store passwords using SHA-2 or better for the hash (SHA-512 ideal). We're looking to migrate our user management functions to Keycloak, and I noticed that hashing with SHA-1 is only provider out of the box. I propose adding the following providers (and will be happy to contribute!), using the hash functions available in the Java 8 runtime environment: 1. PBKDF2WithHmacSHA224 2. PBKDF2WithHmacSHA256 3. PBKDF2WithHmacSHA384 4. PBKDF2WithHmacSHA512 I also propose marking the current Pbkdf2PasswordHashProvider as deprecated, now that a real SHA-1 hash collision has been published by Google Security. -- *Adam Kaplan* Senior Engineer findyr <http://findyr.com/> m 914.924.5186 <//914.924.5186> | e akaplan(a)findyr.com WeWork c/o Findyr | 1460 Broadway | New York, NY 10036