In Spring Security, how does a random salt get properly generated during password comparison?

Question

I'm using Spring security 3.1.1.RELEASE. I'm using the StandardPasswordEncoder.encode(password) function to encrypt my user passwords, which relies on a random salt being generated. From the Spring security source, ultimately this method gets called from "org.springframework.security.crypto.keygen.SecureRandomBytesKeyGenerator" for the salt generation …

public byte[] generateKey() {
    byte[] bytes = new byte[keyLength];
    random.nextBytes(bytes);
    return bytes;
}

My question is, when a password is entered from a login page, how does the same salt used for an encoded-password comparison get generated? It seems like the above is random so I would figure a new random salt is created when a comparison is done.

Answer 1

The salt gets saved in the database along with the hashed password, when the user logs in again, the salt is extracted from the database, hashed with the password, and compared with the password hash in the database. If they match, the password was correct.

Salt values just make people with the same password not stand out in the database because the salt key changes the hash. It also makes it harder to brute force the hash as the key also makes the password longer. If the hashed password is found trough brute-force, the key must still be removed from that hash in order to know the real password, making it harder to reverse engineer the password from the hash.

Answer 2

No. If you configured Spring Security for salted hashed passwords, then upon comparision, there is a call for user data lookup. Once user record is found by username, then the salt is extracted from password field, and used to calculate hash of password from page from. And then hashes get compared.