diff --git a/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCrypt.java b/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCrypt.java
index 910b2d5606..98bd5946a8 100644
--- a/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCrypt.java
+++ b/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCrypt.java
@@ -716,7 +716,12 @@ public class BCrypt {
 	 * factor therefore increases as 2**log_rounds.
 	 * @return an encoded salt value
 	 * @exception IllegalArgumentException if prefix or log_rounds is invalid
+	 * @deprecated since 6.4 in favor of {@link #gensalt(String, int, SecureRandom)}.
+	 * Creating a new {@code SecureRandom} instance on every invocation incurs significant
+	 * performance overhead. Use {@link #gensalt(String, int, SecureRandom)} with a reusable
+	 * {@code SecureRandom} instance instead.
 	 */
+	@Deprecated(since = "6.4", forRemoval = false)
 	public static String gensalt(String prefix, int log_rounds) throws IllegalArgumentException {
 		return gensalt(prefix, log_rounds, new SecureRandom());
 	}
diff --git a/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.java b/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.java
index 25dcf65196..3c0eaa3595 100644
--- a/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.java
+++ b/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.java
@@ -47,21 +47,21 @@ public class BCryptPasswordEncoder extends AbstractValidatingPasswordEncoder {
 	private final @Nullable SecureRandom random;
 
 	public BCryptPasswordEncoder() {
-		this(-1);
+		this(-1, new SecureRandom());
 	}
 
 	/**
 	 * @param strength the log rounds to use, between 4 and 31
 	 */
 	public BCryptPasswordEncoder(int strength) {
-		this(strength, null);
+		this(strength, new SecureRandom());
 	}
 
 	/**
 	 * @param version the version of bcrypt, can be 2a,2b,2y
 	 */
 	public BCryptPasswordEncoder(BCryptVersion version) {
-		this(version, null);
+		this(version, new SecureRandom());
 	}
 
 	/**
@@ -85,7 +85,7 @@ public class BCryptPasswordEncoder extends AbstractValidatingPasswordEncoder {
 	 * @param strength the log rounds to use, between 4 and 31
 	 */
 	public BCryptPasswordEncoder(BCryptVersion version, int strength) {
-		this(version, strength, null);
+		this(version, strength, new SecureRandom());
 	}
 
 	/**