Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1472: Add support for bcrypt password encoding #1711

spring-issuemaster opened this Issue Apr 30, 2010 · 6 comments


None yet
1 participant

Taylor Leese (Migrated from SEC-1472) said:

It would be great to have build-in support for bcrypt hashing in Spring Security. I would foresee the usage to be something similar to below and then add a BcryptPasswordEncoder (similar to ShaPasswordEncoder).

        <password-encoder hash="bcrypt" rounds="10">
            <salt-source user-property="someProperty" />

This is a good example of custom bcrypt usage with Spring Security: http://sziebert.net/posts/using-bcrypt-with-spring-security/

Luke Taylor said:

I'm against doing this for the time being. We get requests from time to time to support less mainstream password-encoding algorithms but I don't want to add additional external core dependencies for what is really a niche requirement. It's also significant that the bCrypt implementation referred to had a serious vulnerability as recently as February of this year. If we are adding external dependencies on cryptography libraries I would prefer them to have seen more mainstream usage/scrutiny.

People tend to focus too much on issues like "which hashing/encryption algorithm is 'best'" when this is unlikely to be the main vulnerability of a system. If you are using SHA hashes with random salt values then this should not be a major focus area.

It is also trivial to implement the PasswordEncoder interface if users have specific requirements, and custom implementations are easily used with the namespace.

Taylor Leese said:

Understandable. What about support for SHA-512? It doesn't look like that is currently supported.

Udai Gupta said:

latest bcrypt 0.3 has solved the issue reported in feb

Dave Syer said:

I sent a pull request.

Luke Taylor said:

Implementation added by Dave Syer.

Taylor Leese said:

It would be nice to have bcrypt as a password-encocer hash. Looks like it needs to be added to the schema definition in spring-security-3.1.xsd. I'm sure there are other corresponding changes as well.

<xs:attributeGroup name="hash">
<xs:attribute name="hash" use="required">
xs:documentationDefines the hashing algorithm used on user passwords. We recommend strongly against using MD4, as it is a very weak hashing algorithm./xs:documentation
<xs:restriction base="xs:token">
<xs:enumeration value="plaintext"/>
<xs:enumeration value="sha"/>
<xs:enumeration value="sha-256"/>
<xs:enumeration value="md5"/>
<xs:enumeration value="md4"/>
<xs:enumeration value="{sha}"/>
<xs:enumeration value="{ssha}"/>

@spring-issuemaster spring-issuemaster added this to the 3.1.0 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment