Password protection coding password issue

Question

Password protection coding password issue

I am using grails 2.3.0 and am facing a strange problem when encoding a password with spring security:

This is my method for encoding a password:

String encodePassword(String password) { return springSecurityService.encodePassword(password) }

and using this

 log.debug encodePassword("mkb") log.debug encodePassword("mkb") log.debug encodePassword("mkb")

I encode the same password several times, and every time I get different encoded passwords.

magazines:

 $2a$10$h8T4BxgOeozmH/VSPJl7NeTaF2P0iONpSdqDN7dDFFAG.sy8WG/8K $2a$10$a7qybaiLF/eNrTSwFohjkezNaJTTDdMEinRYKjxDzEt.OoxaIgFOu $2a$10$nZVhUT0QTmmbtt22CPtM..cLxU252RGBIMkd5aSd2AFXNTNLQ./6u

+5

spring-security grails

user1690588 Oct 21 '13 at 15:14

source share

1 answer

Igor Artamonov · Accepted Answer · 2013-10-21T15:23:36+0000

It's good. It looks like you are using a BCrypt hash code, this algorithm uses a random salt every time you encode a password (other hashing algorithms use a salt source property like id). This salt is added to the hash.

So you have:

$2a - salt version
$10 - rounds
$h8T4BxgOeozmH/VSPJl7NeTaF2P0iONpSdqDN7dDFFAG.sy8WG/8K - Base64 for salt + hash, where salt receives the first 24 characters, and the hash takes the rest:
- h8T4BxgOeozmH/VSPJl7NeTaF - salt
- 2P0iONpSdqDN7dDFFAG.sy8WG/8K - hash (10 rounds for salt + password)

See Spring BCrypt Security Sources: https://github.com/spring-projects/spring-security/blob/master/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCrypt.java

If you need to manually verify the user password, you must use passwordEncoder , for example:

 //dependency injection def passwordEncoder //validate String enteredPassword = params.password User user = ... if (!passwordEncoder.isPasswordValid(user.password, enteredPassword, null)) { //validates raw password against hashed //... wrong password entered }

Password protection coding password issue

More articles: