Spring security with Bcrypt

Question

I am using Bcrypt as password hashing algorithm for Spring security project.

When I tried using online Bcrypt calculator it generates different hash values for the same plain text password. This is due to salting which I understood.

But for authentication in a real spring security app the application reads the password entered by user and generates bcrypt hash and then compares it with the bcrypt hash stored in database. If it matches it authenticates the user.

How does it match if bcrypt generates different values each time.?

This answer https://stackoverflow.com/a/8528804/241990 and comments may also be useful. — Shaun the Sheep, May 06 '19 at 15:37

score 0 · Answer 1 · answered May 05 '19 at 13:09

The hashing method generates a string which contains both the hash itself and the salt.

The checking method reads the hash stored in the string, and hashes the plaintext password with that hash (the same that was used when first hashing the password).

See wikipedia for a more detailed description

Spring security with Bcrypt

1 Answers1