[wildfly-dev] On the WildFly Elytron PasswordFactory API

Bill Burke bburke at redhat.com
Wed Jun 11 11:44:03 EDT 2014



On 6/11/2014 11:33 AM, Anil Saldhana wrote:
> On 06/11/2014 09:30 AM, David M. Lloyd wrote:
>> On 06/04/2014 11:07 AM, David M. Lloyd wrote:
>> [...]
>>> Example: Encrypting a new password
>>> ----------------------------------
>>>
>>>       PasswordFactory pf = PasswordFactory.getInstance("sha1crypt");
>>>       // API not yet established but will be similar to this possibly:
>>>       ???? parameters = new
>>> ???SHA1CryptPasswordParameterSpec("p4ssw0rd".toCharArray());
>>>       Password encrypted = pf.generatePassword(parameters);
>>>       assert encrypted instanceof SHA1CryptPassword;
>> I have a concrete specification for this example now:
>>
>>        PasswordFactory pf = PasswordFactory.getInstance("sha-256-crypt");
>>        // use a 64-byte random salt; most algorithms support flexible sizes
>>        byte[] salt = new byte[64];
>>        ThreadLocalRandom.current().getBytes(salt);
>>        // iteration count is 4096, can generally be more (or less)
>>        AlgorithmParameterSpec aps =
>>                new HashedPasswordAlgorithmSpec(4096, salt);
>>        char[] chars = "p4ssw0rd".toCharArray();
>>        PasswordSpec spec = new EncryptablePasswordSpec(chars, aps);
>>        Password pw = pf.generatePassword(spec);
>>        assert pw.getAlgorithm().equals("sha-256-crypt");
>>        assert pw instanceof UnixSHACryptPassword;
>>        assert pf.verifyPassword(pw, chars);
>>
> - Best is to make the salt and iteration count configurable.

+1

5000 iterations is actually a *huge* performance hit, but unfortunately 
way lower than what I've seen recommended.  (I've seen as high as 
100,000 based on today's hardware).

In Keycloak we store the iteration count along with the password so that 
the admin can change the default iteration count in the future.  We 
recalculate the hash on a successful login if the default count and user 
count are different.

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the wildfly-dev mailing list