[keycloak-dev] KEYCLOAK-1900 - Pluggable password hashing algorithm

Bill Burke bburke at redhat.com
Tue Nov 17 10:41:55 EST 2015 

can just handle something like this like we do hash iterations.  Store 
the algorithm used, verify the password, compute the new hash with the 
new algorithm.

On 11/17/2015 10:33 AM, Bruno Oliveira wrote:
> By salted passwords using SHA1, do you mean something like:
>
> hash(salt + password) ?
>
> If yes, hashes like SHA for example, were designed to be fast and can be
> broken with much less computational power than BCrypt, PBKDF2 or Scrypt
> for example.
>
>
> On Tue, Nov 17, 2015 at 1:07 PM Kunal K <kunal at plivo.com
> <mailto:kunal at plivo.com>> wrote:
>
>     Hi all,
>
>     I would like to start a discussion on how to implement -
>     https://issues.jboss.org/browse/KEYCLOAK-1900
>
>     I have a django web app and all of my users are in a postgres
>     database with salted passwords hashed using SHA. I have been reading
>     how I can use UserFederation to implement by own credential
>     validation, but the drawback here would be that I'll have to keep
>     maintaining my old database.
>
>     For starters, I was thinking of replacing all occurrences of
>     Pbkdf2PasswordEncoder with an equivalent SHAPasswordEncoder, which
>     is a very crude approach and I'm not sure if it will even work.
>     After some bit of reading I saw this ticket -
>     https://issues.jboss.org/browse/KEYCLOAK-1900
>
>     I would like to implement a custom hashing SPI and would love to get
>     some pointers on how to go about it.
>
>     Thanks
>
>     --
>     *KUNAL KERKAR *| PRODUCT ENGINEER
>     Plivo, Inc. 340 Pine St, San Francisco - 94104, USA
>     Web: www.plivo.com <http://www.plivo.com/> | Twitter: @plivo
>     <http://twitter.com/plivo>, @tsudot <http://twitter.com/tsudot>
>
>     Free Incoming SMS for All US Short Codes – Get One Today!
>     <https://www.plivo.com/sms-short-code/?utm=emailsig>
>     _______________________________________________
>     keycloak-dev mailing list
>     keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-dev mailing list