Types of Password Encoders in Spring Security

By Atul Rai | Last Updated: May 14, 2023

Securing user passwords is of utmost importance in any application. The Spring Framework, a popular Java-based framework, offers a variety of password encoders to ensure the safe storage and retrieval of sensitive user data. In this blog, we will explore different types of password encoders the Spring Framework provides and illustrate their usage with examples.

Required Dependencies

Make sure you have the following dependencies in your project’s pom.xml file:

<dependencies>
	...
	<dependency>
		<groupId>org.springframework.boot</groupId>
		<artifactId>spring-boot-starter-security</artifactId>
	</dependency>
	<dependency>
		<groupId>org.bouncycastle</groupId>
		<artifactId>bcprov-jdk15on</artifactId>
		<version>1.64</version>
	</dependency>
	...
</dependencies>

1. BCryptPasswordEncoder

BCryptPasswordEncoder is one of the most commonly used password encoders in Spring. It is based on the bcrypt algorithm, which is designed to be slow and computationally expensive, making it highly resistant to brute-force attacks.

BCryptPasswordEncoder internally generates a random salt and applies multiple rounds of hashing to create a secure password hash.

Let’s have a look on below example:

int strength = 10; // work factor of bcrypt
SecureRandom secureRandom = new SecureRandom(); // salt generator

PasswordEncoder passwordEncoder = new BCryptPasswordEncoder(strength, secureRandom);
String rawPassword = "Password@123";
String encodedPassword = passwordEncoder.encode(rawPassword);
boolean matches = passwordEncoder.matches(rawPassword, encodedPassword);

System.out.println("Password matches: " + matches);

Output:

Password matches: true

Similar Post: Securing Passwords with Spring Security Password Encoder

2. Pbkdf2PasswordEncoder

The Pbkdf2PasswordEncoder implements the Password-Based Key Derivation Function 2 (PBKDF2) algorithm. PBKDF2 applies a cryptographic hash function multiple times with a salt and an iteration count to derive the final password hash. This algorithm provides high security against brute-force attacks.

Example:

String seq = "websparrow"; // secret key used by password encoding
int saltLength = 64;     // salt length in bytes
int iterations = 200000;  // number of hash iteration
int hashWidth = 256;      // hash width in bits

PasswordEncoder passwordEncoder = new Pbkdf2PasswordEncoder(seq, saltLength, iterations, hashWidth);
String rawPassword = "Password@123";
String encodedPassword = passwordEncoder.encode(rawPassword);
boolean matches = passwordEncoder.matches(rawPassword, encodedPassword);

System.out.println("Password matches: " + matches);

Output:

Password matches: true

3. SCryptPasswordEncoder

SCryptPasswordEncoder is based on the scrypt key derivation function. This algorithm is memory-hard and requires a significant amount of computational resources, making it resilient against brute-force attacks. SCryptPasswordEncoder provides a good balance between security and performance.

Example:

int cpuCost = (int) Math.pow(2, 18); // factor to increase CPU costs
int memoryCost = 8; // increases memory usage
int parallelization = 1; // currently not supported by Spring Security
int keyLength = 32; // key length in bytes
int saltLength = 64; // salt length in bytes

PasswordEncoder passwordEncoder = new SCryptPasswordEncoder(cpuCost, memoryCost, parallelization, keyLength,
saltLength);
String rawPassword = "Password@123";
String encodedPassword = passwordEncoder.encode(rawPassword);
boolean matches = passwordEncoder.matches(rawPassword, encodedPassword);

System.out.println("Password matches: " + matches);

Output:

Password matches: true

4. NoOpPasswordEncoder

NoOpPasswordEncoder is a deprecated password encoder that does not perform any encryption or hashing. It is highly discouraged to use this encoder in production environments as it does not provide any security measures. It is mainly used for testing or when migrating from a legacy system with plain-text passwords.

Example:

PasswordEncoder passwordEncoder = NoOpPasswordEncoder.getInstance();
String rawPassword = "Password@123";
String encodedPassword = passwordEncoder.encode(rawPassword);
boolean matches = passwordEncoder.matches(rawPassword, encodedPassword);
System.out.println("Password matches: " + matches);

Output:

Password matches: true

References

  1. BCryptPasswordEncoder- Spring Doc
  2. Pbkdf2PasswordEncoder- Spring Doc
  3. SCryptPasswordEncoder- Spring Doc
  4. NoOpPasswordEncoder- Spring Doc

Similar Posts

About the Author

Atul Rai
I love sharing my experiments and ideas with everyone by writing articles on the latest technological trends. Read all published posts by Atul Rai.