I have little experience with encryption / decryption..
for my web app I want to use Apache Shiro to login user, with salted password ..
this is the article I read : http://shiro.apache.org/realm.html#Realm-HashingCredentials and the code to generate the salted password :
import org.apache.shiro.crypto.hash.Sha256Hash;
import org.apache.shiro.crypto.RandomNumberGenerator;
import org.apache.shiro.crypto.SecureRandomNumberGenerator;
...
//We'll use a Random Number Generator to generate salts. This
//is much more secure than using a username as a salt or not
//having a salt at all. Shiro makes this easy.
//
//Note that a normal app would reference an attribute rather
//than create a new RNG every time:
RandomNumberGenerator rng = new SecureRandomNumberGenerator();
Object salt = rng.nextBytes();
//Now hash the plain-text password with the random salt and multiple
//iterations and then Base64-encode the value (requires less space than Hex):
String hashedPasswordBase64 = new Sha256Hash(plainTextPassword, salt, 1024).toBase64();
User user = new User(username, hashedPasswordBase64);
//save the salt with the new account. The HashedCredentialsMatcher
//will need it later when handling login attempts:
user.setPasswordSalt(salt);
userDAO.create(user);
This give me a encrypted password.. but how can I recover the plain text password? It's possible?
Thanks to Benjamin Marwell :
This is possible only in theory and/or with a lot of money. You can use hacking tools which run on your GPU, but even then it might take years to find it. And that is exactly the point: Password-based key derivation functions are designed to create an in-revertable hash.
Shiro 2.0 will use even better KDFs like Argon2 or bcrypt/script, which require a vast amount of memory and cpu to make attacks not feasible.
If you have access to the database where you stored the password, I would just set a new password and forget about the old one, if possible.