Skip to content

Update BCryptPasswordEncoder's BCRYPT_PATTERN to work with more Algorithm Identifier #4550

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
manueljordan opened this issue Sep 16, 2017 · 1 comment
Closed

Update BCryptPasswordEncoder's BCRYPT_PATTERN to work with more Algorithm Identifier #4550

manueljordan opened this issue Sep 16, 2017 · 1 comment

Comments

@manueljordan
Copy link

I am integrating Spring Security with BCrypt.

I have read many tutorials about the integration. Done

I use the: Bcrypt-Generator.com - Online Bcrypt Hash Generator & Checker
I did realize it always starts with $2y.

But in testing I got errors and in runtime the login always fails. For both scenarios always appears the following:

WARN o.s.s.c.b.BCryptPasswordEncoder - Encoded password does not look like BCrypt

I did realize BCryptPasswordEncoder.java has the following method

	public boolean matches(CharSequence rawPassword, String encodedPassword) {
		if (encodedPassword == null || encodedPassword.length() == 0) {
			logger.warn("Empty encoded password");
			return false;
		}

		if (!BCRYPT_PATTERN.matcher(encodedPassword).matches()) {
			logger.warn("Encoded password does not look like BCrypt");
			return false;
		}

		return BCrypt.checkpw(rawPassword.toString(), encodedPassword);
}

Here three points:

  • I can see logger.warn("Encoded password does not look like BCrypt");
  • I never call manually or explicitly the matches method. I am assuming Spring Security does this internally or implicitly
  • The if statement where the warn is located uses BCRYPT_PATTERN

Ok, BCRYPT_PATTERN is:

private Pattern BCRYPT_PATTERN = Pattern.compile("\\A\\$2a?\\$\\d\\d\\$[./0-9A-Za-z]{53}");

Until here it starts with $2a?, but the mine generated is $2y. Thus always going to be false

Now, If I use this BCrypt Calculator
I get $2a. Thus all work fine.

One: From the current Spring Security Reference Documentation, what is the official or recommended URL to use a tool to generate the hash password from a plain text password?

Two: according with these links:

There are more Algorithm Identifier, such as: $2a and $2y , but the BCryptPasswordEncoder class only works with one.

According with the StackOverflow link, $2a is weak and $2b is the most better. Not sure what is the official home page for BCrypt to confirm this
@rwinch
Copy link
Member

rwinch commented Sep 19, 2017

Thanks for the report. This appears to be a duplicate of #3320

@rwinch rwinch closed this as completed Sep 19, 2017
@gs11 gs11 mentioned this issue Nov 20, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rwinch @manueljordan