Hashing and Salting passwords with shiro

Question

In apache shiro the default hash implementation is as follows:

MessageDigest digest = getDigest(getAlgorithmName());
        if (salt != null) {
            digest.reset();
            digest.update(salt);
        }
        byte[] hashed = digest.digest(bytes);
        int iterations = hashIterations - 1; //already hashed once above
        //iterate remaining number:
        for (int i = 0; i < iterations; i++) {
            digest.reset();
            hashed = digest.digest(hashed);
        }
        return hashed;

Notice how it puts the salt first. We are having to authenticate against a legacy system where the hashes were password + salt and not salt+password

I'm currently doing the concat outside this method call and passing null in for the salt. Aside from subclassing and overriding this method is there a better way than what I'm having to do?

score 2 · Accepted Answer · answered Apr 02 '11 at 19:46

2

It turns out subclassing SimpleHash and overriding one method did the trick. Just reset the digest, add the salt then the pw and then digest it and it works fine

answered Apr 02 '11 at 19:46

dstarh

4,976
5
36
68

Hashing and Salting passwords with shiro

1 Answers1