Reputation:
Spring Boot password bcrypt encoder: encoded value doesn't match with the online generated one
In a Spring Boot 2 project I use the bcrypt password encoder to authenticate users against LDAP directory. The passwords are stored in the LDIF file, hence in the directory, in a hashed form, with bcrypt. In order to determine the hash for each password that I need to store in the LDIF file, such that to be loaded in the directory, I'm using this generator: https://bcrypt-generator.com.
So, I generate the hashes for the users passwords and I store the generated values in the LDIF file. Then, I'm trying to perform authentication using the Spring LDAP password compare. But the authentication fails as Spring and the mentioned site calculate a different bcrypt hash for the same password.
Using the hash one calculated by the Spring encode() function works, of course. So my questions are:
- How come using the same algorithm with the same input value and the same parameters, two implementations supposed to be equivalent provide different results ?
- How is one supposed to generate the hash values since Spring doesn't seem to provide any generator and the value generated by public generators don't match with the Spring calculated ones ?
Many thanks in advance.
Nicolas
Upvotes: 1
Views: 2450
Answers (1)
Reputation: 116231
How come using the same algorithm with the same input value and the same parameters, two implementations supposed to be equivalent provide different results ?
It's normal for bcrypt to produce different output for the same input (see Bcrypt generates different hashes for the same input?, for example) so the different hashes are to be expected.
How is one supposed to generate the hash values since Spring doesn't seem to provide any generator
Spring Boot's CLI includes an encodepassword command that can be used to generate a bcrypt-encoded password:
$ spring encodepassword secret
{bcrypt}$2a$10$bhY3U6LEvbJ7DdWrcPqBu.vtLFPqDCgDGpTmyWrAVBcMANQzI/4Xy
https://bcrypt-generator.com reports a match for $2a$10$bhY3U6LEvbJ7DdWrcPqBu.vtLFPqDCgDGpTmyWrAVBcMANQzI/4Xy and secret.
Upvotes: 2
Related Questions
- Encoded password does not look like BCrypt when using Spring Security UserDetailsService
- Encoded password does not look like BCrypt - spring security version is 5.3.2
- Encoded password does not look like BCrypt
- BCrypt: Empty Encoded Password with Spring Security
- Spring Boot Password Encoding
- spring security Encoded password does not look like BCrypt
- Encoded password does not look like BCrypt in SpringBoot 2.1.4.RELEASE
- BCryptPasswordEncoder - Encoded password does not look like BCrypt
- Spring security encoded password does not look like BCrypt while values are equals
- Login errors in spring boot: Encoded password does not look like BCrypt