Andremoniy
Reputation: 34900
Retrieving password salt with BCryptPasswordEncoder in Spring
It appears that org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder doesn't return the generated password salt:
public String encode(CharSequence rawPassword) {
String salt;
if(this.strength > 0) {
if(this.random != null) {
salt = BCrypt.gensalt(this.strength, this.random);
} else {
salt = BCrypt.gensalt(this.strength);
}
} else {
salt = BCrypt.gensalt();
}
return BCrypt.hashpw(rawPassword.toString(), salt);
}
Question : what purpose is that designed for? How can this be used, since it doesn't return a salt, which should be stored for the password checking?
Upvotes: 5
Views: 9795
Answers (1)
Erik Pragt
Reputation: 14617
Apparently, the salt is part of the encrypted String, which is separated by $.
More information can be found here: How can bcrypt have built-in salts?
Upvotes: 8
Related Questions
- What is difference between CrudRepository and JpaRepository interfaces in Spring Data JPA?
- What's the difference between @Component, @Repository & @Service annotations in Spring?
- Does Java have support for multiline strings?
- Why should Java 8's Optional not be used in arguments
- Spring: @Component versus @Bean
- How can I create an executable/runnable JAR with dependencies using Maven?
- Fastest way to determine if an integer's square root is an integer
- Migrate Spring Security 4.x (ShaPasswordEncoder and unique salt for each user) to 5.x (BCryptPasswordEncoder)
- Efficiency of Java "Double Brace Initialization"?
- How should I ethically approach user password storage for later plaintext retrieval?