I've seen that in Spring, we can pass the number of rounds for password checking as BCryptPasswordEncoder constructor paramter (strength). Is there any way to control the number of rounds in hash generation?
Spring BCryptPasswordEncoder - Any way to configure the number of rounds for the generation of hash?
Asked
Active
Viewed 2,874 times
1 Answers
1
I believe the strength parameter of Spring Security's BCryptPasswordEncoder does control the number of rounds in hash generation:
The JavaDoc of the BCryptPasswordEncoder class says:
Implementation of PasswordEncoder that uses the BCrypt strong hashing function. Clients can optionally supply a "version" ($2a, $2b, $2y) and a "strength" (a.k.a. log rounds in BCrypt) and a SecureRandom instance. The larger the strength parameter the more work will have to be done (exponentially) to hash the passwords. The default value is 10.
The strength parameter is passed to the BCrypt class (the actual implementation) as the log_rounds parameter, about which the JavaDoc says:
The gensalt() method takes an optional parameter (log_rounds) that determines the computational complexity of the hashing: String strong_salt = BCrypt.gensalt(10) String stronger_salt = BCrypt.gensalt(12) The amount of work increases exponentially (2**log_rounds), so each increment is twice as much work. The default log_rounds is 10, and the valid range is 4 to 31.
Dario Seidl
- 4,140
- 1
- 39
- 55
-
I gave strength value of 5, but I don't see any increase in performance. Why could that be happening? – Sachin Titus Apr 13 '20 at 13:41
-
"Safe enough" is relative. I think the best recommendation is to choose rounds as large as possible so that normal use on your server does not become a nuisance (too slow). Note that bcrypt is slow by design. You can read more about it [here](https://security.stackexchange.com/questions/17207/recommended-of-rounds-for-bcrypt) or [here](https://stackoverflow.com/questions/4443476/optimal-bcrypt-work-factor). – Dario Seidl Apr 13 '20 at 14:16