4

This questions has been answered in this Stack Overflow question already, but it's not Grails-specific and is also kind of vague.

I set my Grails app up with Spring Security, but apparently didn't get the newest version, because it defaulted to SHA-256 instead of bcrypt. Now I have production data with passwords hashed in what seems to be a less-than-ideal method.

It's a piece of cake to enable bcrypt hashing:

Config.groovy > grails.plugins.springsecurity.password.algorithm = 'bcrypt'

but now I need the app to convert the old hashes into new ones. Fundamentally, I understand that when a user logs in, I should have the app check to see if the password is an SHA-256 hash, and if so, re-hash the entered password with bcrypt. After a while, they'll all be upgraded and that code can be removed.

What is the actual code for determining if a password hash is from SHA-256 or bcrypt, though?

EDIT

That is to say, what is the actual function that I call to get a hash? How do I bcrypt(incomingpassword) to see if it matches the existing password hash?

Community
  • 1
  • 1
Charles Wood
  • 864
  • 8
  • 23

1 Answers1

7

bcrypt passwords will start with "$2a$10$" and be 60 chars long. There is no pattern for SHA-256, but it will be 64 chars long.

Burt Beckwith
  • 75,342
  • 5
  • 143
  • 156
  • Thanks, Burt. I still have the same problem, though; I have no idea how to instantiate and call an arbitrary password encoder at will. I have dug into Spring Security's internals, but it quickly gets beyond my ability to understand at this point. If I want to go `user.hashedPassword == bcrypt(incomingPassword)`... what do I actually type instead of "bcrypt"? – Charles Wood Dec 20 '13 at 19:42
  • 7
    I thought this was interesting and good to have documented, so I worked up an implementation and blog post here: http://burtbeckwith.com/blog/?p=2017 – Burt Beckwith Dec 20 '13 at 22:14
  • Hmm. `Could not instantiate bean class [org.springframework.security.authentication.encoding.MessageDigestPasswordEncoder]: Constructor threw exception; nested exception is java.lang.IllegalArgumentException: No such algorithm [bcrypt]` I'm running Grails 2.2.0 and the Spring Security plugin 2.0-RC2. – Charles Wood Dec 27 '13 at 19:26
  • Use the settings for SHA-256 or whatever the old algorithm is - the bcrypt encoder is explicitly configured. Once you're ready to switch to a single algorithm, remove all of this and configure bcrypt like in a new app – Burt Beckwith Dec 27 '13 at 19:32
  • Say... is it possible that the SHA-256 implementation has changed between Spring Security Plugin version 1 and version 2? Because `sha256PasswordEncoder` is not hashing my password into the same hash as what's in the database. – Charles Wood Dec 30 '13 at 15:58
  • Actually, SSP 2.0-RC2 defaults to bcrypt. That's what was causing the exception above. I'm pretty confident of this because I just uninstalled and reinstalled it the plugin. Setting the algorithm to 'SHA-256' in my config got rid of the exception. It's still not hashing the password correctly, though. http://www.convertstring.com/Hash/SHA256 encodes my password to the same thing that's in my DB. sha256PasswordEncoder.encodePassword does not. – Charles Wood Dec 30 '13 at 17:20
  • 2
    You probably need `grails.plugin.springsecurity.password.hash.iterations = 1` also, since the 1.2 plugin used 1 iteration and the 2.0 plugin defaults to 10,000 – Burt Beckwith Dec 30 '13 at 17:34
  • That did it. Forgot to check that when I was looking back at 1.2. Thanks. – Charles Wood Dec 30 '13 at 17:37
  • Does spring security understand this format of hash? The example passwords in the documentation at http://docs.spring.io/spring-security/site/docs/3.2.2.RELEASE/reference/htmlsingle/#ns-password-encoder are in a different format...? – Jules Mar 11 '14 at 03:07
  • This is Spring Security, just a Grails-y wrapper around it. I'm not sure what's up with those docs, but the passwords are not bcrypt hashes. – Burt Beckwith Mar 11 '14 at 03:18