Default implementation of the {@link HashService} interface, supporting a customizable hash algorithm name, secure-random salt generation, multiple hash iterations and an optional internal {@link #setPrivateSalt(ByteSource) privateSalt}. <h2>Hash Algorithm</h2> You may specify a hash algorithm via the {@link #setHashAlgorithmName(string)} property. Any algorithm name understood by the JDK {@link java.security.MessageDigest#getInstance(string) MessageDigest.getInstance(string algorithmName)} method will work. The default is {@code SHA-512}. <h2>Random Salts</h2> When a salt is not specified in a request, this implementation generates secure random salts via its {@link #setRandomNumberGenerator(hunt.shiro.crypto.RandomNumberGenerator) randomNumberGenerator} property. Random salts (and potentially combined with the internal {@link #getPrivateSalt() privateSalt}) is a very strong salting strategy, as salts should ideally never be based on known/guessable data. The default instance is a {@link SecureRandomNumberGenerator}. <h2>Hash Iterations</h2> Secure hashing strategies often employ multiple hash iterations to slow down the hashing process. This technique is usually used for password hashing, since the longer it takes to compute a password hash, the longer it would take for an attacker to compromise a password. This <a href="http://www.stormpath.com/blog/strong-password-hashing-apache-shiro">blog article</a> explains in greater detail why this is useful, as well as information on how many iterations is 'enough'. <p/> You may set the number of hash iterations via the {@link #setHashIterations(int)} property. The default is {@code 1}, but should be increased significantly if the {@code HashService} is intended to be used for password hashing. See the linked blog article for more info. <h2>Private Salt</h2> If using this implementation as part of a password hashing strategy, it might be desirable to configure a {@link #setPrivateSalt(ByteSource) private salt}: <p/> A hash and the salt used to compute it are often stored together. If an attacker is ever able to access the hash (e.g. during password cracking) and it has the full salt value, the attacker has all of the input necessary to try to brute-force crack the hash (source + complete salt). <p/> However, if part of the salt is not available to the attacker (because it is not stored with the hash), it is <em>much</em> harder to crack the hash value since the attacker does not have the complete inputs necessary. <p/> The {@link #getPrivateSalt() privateSalt} property exists to satisfy this private-and-not-shared part of the salt. If you configure this attribute, you can obtain this additional very important safety feature. <p/> <b>*</b>By default, the {@link #getPrivateSalt() privateSalt} is null, since a sensible default cannot be used that isn't easily compromised (because Shiro is an open-source project and any default could be easily seen and used).