From e1f01c6d7722d9c20ea2baa3013496939c74c30c Mon Sep 17 00:00:00 2001 From: Mazharul Islam Date: Sun, 17 May 2020 23:06:30 -0400 Subject: [PATCH] mentioning the default strength of BCryptPasswordEncoder Fixes gh-8542 --- .../_includes/about/authentication/password-storage.adoc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/manual/src/docs/asciidoc/_includes/about/authentication/password-storage.adoc b/docs/manual/src/docs/asciidoc/_includes/about/authentication/password-storage.adoc index 018fa0dc16..0d7a53d12e 100644 --- a/docs/manual/src/docs/asciidoc/_includes/about/authentication/password-storage.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/about/authentication/password-storage.adoc @@ -272,6 +272,8 @@ https://docs.spring.io/spring-security/site/docs/5.0.x/api/org/springframework/s The `BCryptPasswordEncoder` implementation uses the widely supported https://en.wikipedia.org/wiki/Bcrypt[bcrypt] algorithm to hash the passwords. In order to make it more resistent to password cracking, bcrypt is deliberately slow. Like other adaptive one-way functions, it should be tuned to take about 1 second to verify a password on your system. +The default implementation of `BCryptPasswordEncoder` uses strength 10 as mentioned on the Javadoc of https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.html[BCryptPasswordEncoder]. Your are encouagred to +tune and test the strength parameter on your own system so that it take roughly 1 second to verify a password. [source,java] ----