Taylor Leese (Migrated from SEC-1472) said:
It would be great to have build-in support for bcrypt hashing in Spring Security. I would foresee the usage to be something similar to below and then add a BcryptPasswordEncoder (similar to ShaPasswordEncoder).
<password-encoder hash="bcrypt" rounds="10">
<salt-source user-property="someProperty" />
This is a good example of custom bcrypt usage with Spring Security: http://sziebert.net/posts/using-bcrypt-with-spring-security/
Luke Taylor said:
I'm against doing this for the time being. We get requests from time to time to support less mainstream password-encoding algorithms but I don't want to add additional external core dependencies for what is really a niche requirement. It's also significant that the bCrypt implementation referred to had a serious vulnerability as recently as February of this year. If we are adding external dependencies on cryptography libraries I would prefer them to have seen more mainstream usage/scrutiny.
People tend to focus too much on issues like "which hashing/encryption algorithm is 'best'" when this is unlikely to be the main vulnerability of a system. If you are using SHA hashes with random salt values then this should not be a major focus area.
It is also trivial to implement the PasswordEncoder interface if users have specific requirements, and custom implementations are easily used with the namespace.
Taylor Leese said:
Understandable. What about support for SHA-512? It doesn't look like that is currently supported.
Udai Gupta said:
latest bcrypt 0.3 has solved the issue reported in feb
Dave Syer said:
I sent a pull request.
Implementation added by Dave Syer.
It would be nice to have bcrypt as a password-encocer hash. Looks like it needs to be added to the schema definition in spring-security-3.1.xsd. I'm sure there are other corresponding changes as well.
xs:documentationDefines the hashing algorithm used on user passwords. We recommend strongly against using MD4, as it is a very weak hashing algorithm./xs:documentation