[keycloak-dev] Password storage and KDFs

Bill Burke bburke at redhat.com
Wed Jan 22 08:55:10 EST 2014


Question:

How can they easily be broken?  If somebody gets the password database?

On 1/22/2014 7:55 AM, Bruno Oliveira wrote:
> Good morning guys, as a suggestion to improve the way how the passwords have been stored in nowadays I did some changes to support PBKDF2[1] (we have been doing the same thing on AeroGear for mobile devices), into this way is possible to prevent rainbow tables and brute force attacks like HashCat does for example.
>
> I'm completely fine on adding bcrypt as long as we include some KDF, I just didn't that because I would like to hear some feedback before move forward, not sure if makes sense but my suggestion is to remove SHA-* encoders because they can be easily broken and replace by the support for PBKDF2 and bcrypt only.
>
> What do you think? Let me know if I should move forward or that doesn't fit.
>
> [1] - https://github.com/keycloak/keycloak/pull/171
>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list