mentioning the default strength of BCryptPasswordEncoder

Fixes gh-8542
2020-05-17 23:06:30 -04:00 · 2020-05-17 23:06:30 -04:00 · e1f01c6d77
parent c1f737c842
commit e1f01c6d77
1 changed files with 2 additions and 0 deletions
--- a/docs/manual/src/docs/asciidoc/_includes/about/authentication/password-storage.adoc
+++ b/docs/manual/src/docs/asciidoc/_includes/about/authentication/password-storage.adoc
@ -272,6 +272,8 @@ https://docs.spring.io/spring-security/site/docs/5.0.x/api/org/springframework/s
 The `BCryptPasswordEncoder` implementation uses the widely supported https://en.wikipedia.org/wiki/Bcrypt[bcrypt] algorithm to hash the passwords.
 In order to make it more resistent to password cracking, bcrypt is deliberately slow.
 Like other adaptive one-way functions, it should be tuned to take about 1 second to verify a password on your system.
+The default implementation of `BCryptPasswordEncoder` uses strength 10 as mentioned on the Javadoc of https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.html[BCryptPasswordEncoder]. Your are encouagred to
+tune and test the strength parameter on your own system so that it take roughly 1 second to verify a password.

 [source,java]
 ----