Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why the strength of BCryptPasswordEncoder is in between 4 and 31?

Tags:

bcrypt

spring-security

According to the docs :

Implementation of PasswordEncoder that uses the BCrypt strong hashing function. Clients can optionally supply a "strength" (a.k.a. log rounds in BCrypt) and a SecureRandom instance. The larger the strength parameter the more work will have to be done (exponentially) to hash the passwords. The default value is 10.

like image 661
Suraj Gautam Avatar asked Jan 09 '17 07:01

Suraj Gautam

People also ask

What is strength BCryptPasswordEncoder?

Class BCryptPasswordEncoder Clients can optionally supply a "strength" (a.k.a. log rounds in BCrypt) and a SecureRandom instance. The larger the strength parameter the more work will have to be done (exponentially) to hash the passwords. The default value is 10.

Why bcrypt hash is different every time?

The problem is that every encryption of it is different every time, so it can never match the one in the database. This is normal bcrypt behavior. bcrypt returns a different hash each time because it incorporates a different random value into the hash. This is known as a "salt".

How secure is BCryptPasswordEncoder?

Bcrypt is highly secure because a slat is used to protect against rainbow table attacks and it is an adaptive hashing function with the cryptographic chunk that can be increased when computer hardware gets faster that means the hashing function can be configured to run slower which also means it can slow down attacks.

What is the max length of bcrypt hash?

bcrypt has a maximum length input length of 72 bytes for most implementations. To protect against this issue, a maximum password length of 72 bytes (or less if the implementation in use has smaller limits) should be enforced when using bcrypt.

1 Answers

The strength is translated to iterations. For strength x there will be 2x iterations. Implementations are assumed to use unsigned 32-bit integer, where the maximum value is 4294967295. If x is larger than 31, 2x is bigger than this maximum value and an overflow would occur.

In practice, the Java implementation in Spring Security actually uses a 64-bit long since integers are signed in Java (maximum of int is 231-1).

A strength of 31 or close thereof is very slow and not usable anyway.

like image 147
holmis83 Avatar answered Apr 28 '23 15:04

holmis83
Sign in to Comment

Related questions

How do I automatically pick the configured SAML Identity provider in a multi-tenant environment to do SSO using Spring SAML
How to require multiple roles/authorities
Angular2 How to get token by sending credentials
springSecurityFilterChain cannot be null
Spring Security WebFlux and LDAP
"Refused to set unsafe header 'Cookie' " while sending cookies with GET request in angular 6
How to secure actuator endpoints with role in Spring Boot 2?
Spring Security Concurrency Control
Basic and form based authentication with Spring security Javaconfig
No mapping found for HTTP request with URI [/pms/j_spring_security_check] in DispatcherServlet with name 'appServlet'
Spring CSRF override "POST" logout behaviour in security XML config
Custom WebSecurityConfigurerAdapter
Spring Security java.lang.StackOverflowError exception after all providers
antMatchers that matches any beginning of path
@WithMockUser with custom User implementation
How to use Spring Security to custom login page?
EnableOAuth2Sso Annotation Missing On Upgrade To Spring Boot 2 [duplicate]
a bean of type 'org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder' that could not be found
spring exception handler to not handle certain types of exception
Spring MVC get current logged in user

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!