[keycloak-user] Proposal: More Secure PassowrdHashProviders

Adam Kaplan akaplan at findyr.com
Wed Mar 1 12:55:05 EST 2017


My company has a client whose security prerequisites require us to store
passwords using SHA-2 or better for the hash (SHA-512 ideal). We're looking
to migrate our user management functions to Keycloak, and I noticed that
hashing with SHA-1 is only provider out of the box.

I propose adding the following providers (and will be happy to
contribute!), using the hash functions available in the Java 8 runtime
environment:

   1. PBKDF2WithHmacSHA224
   2. PBKDF2WithHmacSHA256
   3. PBKDF2WithHmacSHA384
   4. PBKDF2WithHmacSHA512

I also propose marking the current Pbkdf2PasswordHashProvider as
deprecated, now that a real SHA-1 hash collision has been published by
Google Security.

-- 
*Adam Kaplan*
Senior Engineer
findyr <http://findyr.com/>
m 914.924.5186 <//914.924.5186> | e akaplan at findyr.com
WeWork c/o Findyr | 1460 Broadway | New York, NY 10036


More information about the keycloak-user mailing list