javapasswordsshirosalt-cryptography

newbie question : Apache Shiro recover password


I have little experience with encryption / decryption..

for my web app I want to use Apache Shiro to login user, with salted password ..

this is the article I read : http://shiro.apache.org/realm.html#Realm-HashingCredentials and the code to generate the salted password :

import org.apache.shiro.crypto.hash.Sha256Hash;
import org.apache.shiro.crypto.RandomNumberGenerator;
import org.apache.shiro.crypto.SecureRandomNumberGenerator;
...

//We'll use a Random Number Generator to generate salts.  This 
//is much more secure than using a username as a salt or not 
//having a salt at all.  Shiro makes this easy. 
//
//Note that a normal app would reference an attribute rather 
//than create a new RNG every time: 
RandomNumberGenerator rng = new SecureRandomNumberGenerator();
Object salt = rng.nextBytes();

//Now hash the plain-text password with the random salt and multiple 
//iterations and then Base64-encode the value (requires less space than Hex): 
String hashedPasswordBase64 = new Sha256Hash(plainTextPassword, salt, 1024).toBase64();

User user = new User(username, hashedPasswordBase64);
//save the salt with the new account.  The HashedCredentialsMatcher 
//will need it later when handling login attempts: 
user.setPasswordSalt(salt);
userDAO.create(user);

This give me a encrypted password.. but how can I recover the plain text password? It's possible?


Solution

  • Thanks to Benjamin Marwell :

    This is possible only in theory and/or with a lot of money. You can use hacking tools which run on your GPU, but even then it might take years to find it. And that is exactly the point: Password-based key derivation functions are designed to create an in-revertable hash.

    Shiro 2.0 will use even better KDFs like Argon2 or bcrypt/script, which require a vast amount of memory and cpu to make attacks not feasible.

    If you have access to the database where you stored the password, I would just set a new password and forget about the old one, if possible.