Upgrading Spring Security PasswordEncoder

Question

Upgrading from:

import org.springframework.security.authentication.encoding.PasswordEncoder;

    @Override
    public String encodePassword(String plainPassword, Object salt) {
        final String finalSalt = salt != null ? salt.toString() : "";
        return DigestUtils.md5Hex(finalSalt + plainPassword);
    }

    @Override
    public boolean isPasswordValid(String encodedPassword, String plainPassword, Object salt) {
        final String enteredPassword = encodePassword(plainPassword, salt);
        return encodedPassword.equals(enteredPassword);
    }

To:

import org.springframework.security.crypto.password.PasswordEncoder;

    @Override
    public String encode(CharSequence rawPassword) {
      final String finalSalt = salt != null ? salt.toString() : "";
      return DigestUtils.md5Hex(finalSalt + plainPassword);
    }

    @Override
    public boolean matches(CharSequence rawPassword, String encodedPassword) {
       final String enteredPassword = encodePassword(plainPassword, salt);
       return encodedPassword.equals(enteredPassword);
    }

Not sure what to do about salt?
Not sure if I can just convert rawPassword to String to replace plainPassword?

Please don't use MD5 for password hashing, it's not considered safe for a long time. — Karol Dowbecki, Jun 14 '21 at 09:39

score 1 · Answer 1 · answered Jun 14 '21 at 09:44

1

The new methods expect that salt is part of the encoded password. As per PasswordEncoder.encoder() javadoc:

Encode the raw password. Generally, a good encoding algorithm applies a SHA-1 or greater hash combined with an 8-byte or greater randomly generated salt.

If you look at this answer it shows how BCryptPasswordEncoder encodes salt in the encoded password. The actual BCrypt encoded password format is explained here.

answered Jun 14 '21 at 09:44

Karol Dowbecki

43,645
9
78
111

So the new `encode` method should basically just do this? `return new org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder().encode(rawPassword);` and what about the new `matches` method? `return encodedPassword.equals(enteredPassword);`? – Jun 14 '21 at 09:55
Also, do you know if `SystemWideSaltSource` should be deleted now? Mine was set to `super.setSystemWideSalt("pc567");` and I suspect that changing this may cause some issues – Jun 14 '21 at 10:23

Upgrading Spring Security PasswordEncoder

1 Answers1