Spring Security Team Recommendation
- Spring Security recommends using the popular bcrypt algorithm
- bcrypt
- Performs one-way encrypted hashing
- Adds a random salt to the password for additional protection
- Includes support to defeat brute force attacks
- Why you should use bcrypt to hash passwords
- https://danboterhoven.medium.com/why-you-should-use-bcrypt-to-hash-passwords-af330100b861
- Detailed bcrypt algorithm analysis
- https://en.wikipedia.org/wiki/Bcrypt
- Password hashing - Best Practices
- https://crackstation.net/hashing-security.htm
How to get a Bcrypt password
- You have a plaintext password and you want to encrypt using bcrypt
- Option 1: Use a website utility to perform the encryption
- Option 2: Write a Java code to perform the encryption
Development Process
- Run SQL Script that contains encrypted passwords
- Modify DDL for password, field, length should be 68
Spring Security Password Storage
- In Spring Security, passwords are stored using a specific format
Modify DDL for Password Field
Step 1: Develop SQL Script to setup database tables
Spring Security Login Process
- Retrieve password from db for the user
- Read the encoding algorithm id (bcrypt etc)
- For case of bcrypt, encrypt plaintext password from login form (using salt from db password)
- Compare encrypted password from login form WITH encrypted password from db
- If there is a match, login succesful
- If no match, login NOT successful
- NOTE:
- The password from db is NEVER decrypted
- Because bcrypt is a one-way encryption algorithm
댓글남기기