On 06/11/2014 09:30 AM, David M. Lloyd wrote:
On 06/04/2014 11:07 AM, David M. Lloyd wrote:
[...]
> Example: Encrypting a new password
> ----------------------------------
>
> PasswordFactory pf = PasswordFactory.getInstance("sha1crypt");
> // API not yet established but will be similar to this possibly:
> ???? parameters = new
> ???SHA1CryptPasswordParameterSpec("p4ssw0rd".toCharArray());
> Password encrypted = pf.generatePassword(parameters);
> assert encrypted instanceof SHA1CryptPassword;
I have a concrete specification for this example now:
PasswordFactory pf = PasswordFactory.getInstance("sha-256-crypt");
// use a 64-byte random salt; most algorithms support flexible sizes
byte[] salt = new byte[64];
ThreadLocalRandom.current().getBytes(salt);
// iteration count is 4096, can generally be more (or less)
AlgorithmParameterSpec aps =
new HashedPasswordAlgorithmSpec(4096, salt);
char[] chars = "p4ssw0rd".toCharArray();
PasswordSpec spec = new EncryptablePasswordSpec(chars, aps);
Password pw = pf.generatePassword(spec);
assert pw.getAlgorithm().equals("sha-256-crypt");
assert pw instanceof UnixSHACryptPassword;
assert pf.verifyPassword(pw, chars);
- Best is to make the salt and iteration count configurable.
- Opportunities to inject a custom random generator.
The following may be important :
- RW the masked password to a file.
I will think further on the usecases we have seen over the years and
report back.