From 7c31eb58ac5f95c9ebe124aad7f31428b2331ef8 Mon Sep 17 00:00:00 2001
From: Yerin Lee <rt8632@naver.com>
Date: Thu, 5 Feb 2026 16:03:49 +0900
Subject: [PATCH] Also deprecate BCrypt.gensalt(int) without SecureRandom
 parameter

- Deprecates BCrypt.gensalt(int) method

Closes gh-17824

Signed-off-by: Yerin Lee <rt8632@naver.com>
---
 .../org/springframework/security/crypto/bcrypt/BCrypt.java   | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCrypt.java b/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCrypt.java
index 98bd5946a8..87c9ed738c 100644
--- a/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCrypt.java
+++ b/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCrypt.java
@@ -744,7 +744,12 @@ public class BCrypt {
 	 * factor therefore increases as 2**log_rounds.
 	 * @return an encoded salt value
 	 * @exception IllegalArgumentException if log_rounds is invalid
+	 * @deprecated since 6.4 in favor of {@link #gensalt(int, SecureRandom)}.
+	 * Creating a new {@code SecureRandom} instance on every invocation incurs significant
+	 * performance overhead. Use {@link #gensalt(int, SecureRandom)} with a reusable
+	 * {@code SecureRandom} instance instead.
 	 */
+	@Deprecated(since = "6.4", forRemoval = false)
 	public static String gensalt(int log_rounds) throws IllegalArgumentException {
 		return gensalt(log_rounds, new SecureRandom());
 	}