Are there any best practises to be considered when moving the password encoding of existing users from StandardPasswordEncoder to BCryptPasswordEncoder?
Asked
Active
Viewed 676 times
1
yglodt
- 13,807
- 14
- 91
- 127
-
Existing passwords (which were encoded with `StandardPasswordEncoder`) can not be decoded back. It means that you can not update existing users to use BCrypt encoder -> you must use both encoders: `StandardPasswordEncoder` for existing users and `BCryptPasswordEncoder` - for new users. – Roman Proshin Apr 25 '16 at 08:50
-
Probably I could create the bcrypt-encoded password when a user logs in which still has a standard-encoded password, and then update the database, or save the new password-hash in a new field? – yglodt Apr 25 '16 at 09:46
-
Yes, good idea! And I think this is the only way to replace encoders. But again - you need to support this crutch the all time while there is at least one user with old password. – Roman Proshin Apr 25 '16 at 10:04
-
Yes that's true... Users are forced to change passwords after a while so the uglyness would die out after some time. Thanks for the input. – yglodt Apr 25 '16 at 12:15
-
1See also: http://stackoverflow.com/questions/31285604/switching-from-md5-to-bcrypt-with-spring-security/31288462 – Slava Semushin Apr 25 '16 at 16:44