Skip to content

Update BCryptPasswordEncoder documentation with default strength #8542

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 21, 2020
Merged

Update BCryptPasswordEncoder documentation with default strength #8542

merged 1 commit into from
May 21, 2020

Conversation

islamazhar
Copy link
Contributor

@islamazhar islamazhar commented May 18, 2020
edited
Loading

Hi,

As mentioned in the Spring security doc on BCryptPasswordEncoder

The strength of BCryptPasswordEncoder should be tuned to take about 1 second to verify a password on your system.

However, the default implementation of BCryptPasswordEncoder uses a default strength of 10.
On my system (Intel Core i5 CPU-1.60Hz 8 GM RAM), I found that the default implementation takes around 220~250 ms to verify a password which is clearly way less than 1 second lower limit.

I think it should be worth mentioning the default strength of BCryptPasswordEncoder since all of the Spring projects I have worked with developers tend not to change the default strength which according to the Spring security doc is not secure.

This can make the developers using the default strength of BCryptPasswordEncoder more conscious about setting a correct secure strength.

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label May 18, 2020
@islamazhar
Copy link
Contributor Author

I searched a bit more and found some interesting links which may be useful for adding a more appropriate context to the issue.

  • The python bcrypt library mentions about the default strength here in Adjustable Work Factor section.
  • The NodeJS bcrypt documentation mentions about the strength factor here.
  • An interesting answer on security stack exchange about the number of recommended rounds for bcrypt.

@rwinch rwinch self-assigned this May 21, 2020
@rwinch rwinch added in: docs An issue in Documentation or samples type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels May 21, 2020
@rwinch rwinch added this to the 5.4.0-M2 milestone May 21, 2020
@rwinch rwinch merged commit bf9e829 into spring-projects:master May 21, 2020
rwinch pushed a commit that referenced this pull request May 21, 2020
@islamazhar @rwinch
mentioning the default strength of BCryptPasswordEncoder
e1f01c6 
Fixes gh-8542
@spring-projects-issues spring-projects-issues added the status: backported An issue that has been backported to maintenance branches label May 21, 2020
@spring-projects-issues spring-projects-issues mentioned this pull request May 21, 2020
Closed
@rwinch
Copy link
Member

rwinch commented May 21, 2020

Thanks for the Pull Request! This is now merged into master 😄

@rwinch rwinch changed the title Security issue: mentioning the default strength of BCryptPasswordEncoder Update BCryptPasswordEncoder documentation with default strength May 21, 2020
@rwinch rwinch changed the title Update BCryptPasswordEncoder documentation with default strength Update BCryptPasswordEncoder documentation with default strength May 21, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@rwinch rwinch

Labels
in: docs An issue in Documentation or samples status: backported An issue that has been backported to maintenance branches type: enhancement A general enhancement
Projects
None yet
Milestone
5.4.0-M2
Development

Successfully merging this pull request may close these issues.
3 participants
@islamazhar @rwinch @spring-projects-issues