[keycloak-user] Proposal: More Secure PassowrdHashProviders

John D. Ament john.d.ament at gmail.com
Wed Mar 1 13:28:00 EST 2017


I deal with similarly concerned customer bases.  I would be happy to see
some of these algorithms added.  +1

On Wed, Mar 1, 2017 at 12:56 PM Adam Kaplan <akaplan at findyr.com> wrote:

> My company has a client whose security prerequisites require us to store
> passwords using SHA-2 or better for the hash (SHA-512 ideal). We're looking
> to migrate our user management functions to Keycloak, and I noticed that
> hashing with SHA-1 is only provider out of the box.
>
> I propose adding the following providers (and will be happy to
> contribute!), using the hash functions available in the Java 8 runtime
> environment:
>
>    1. PBKDF2WithHmacSHA224
>    2. PBKDF2WithHmacSHA256
>    3. PBKDF2WithHmacSHA384
>    4. PBKDF2WithHmacSHA512
>
> I also propose marking the current Pbkdf2PasswordHashProvider as
> deprecated, now that a real SHA-1 hash collision has been published by
> Google Security.
>
> --
> *Adam Kaplan*
> Senior Engineer
> findyr <http://findyr.com/>
> m 914.924.5186 <(914)%20924-5186> <//914.924.5186 <(914)%20924-5186>> | e
> akaplan at findyr.com
> WeWork c/o Findyr | 1460 Broadway | New York, NY 10036
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list