Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

mentioning the default strength of BCryptPasswordEncoder 

Fixes gh-8542
This commit is contained in:
Mazharul Islam 2020-05-17 23:06:30 -04:00 committed by Rob Winch
parent c1f737c842
commit e1f01c6d77
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/manual/src/docs/asciidoc/_includes/about/authentication/password-storage.adoc
View File

@ -272,6 +272,8 @@ https://docs.spring.io/spring-security/site/docs/5.0.x/api/org/springframework/s
The `BCryptPasswordEncoder` implementation uses the widely supported https://en.wikipedia.org/wiki/Bcrypt[bcrypt] algorithm to hash the passwords. The `BCryptPasswordEncoder` implementation uses the widely supported https://en.wikipedia.org/wiki/Bcrypt[bcrypt] algorithm to hash the passwords.
In order to make it more resistent to password cracking, bcrypt is deliberately slow. In order to make it more resistent to password cracking, bcrypt is deliberately slow.
Like other adaptive one-way functions, it should be tuned to take about 1 second to verify a password on your system. Like other adaptive one-way functions, it should be tuned to take about 1 second to verify a password on your system.
The default implementation of `BCryptPasswordEncoder` uses strength 10 as mentioned on the Javadoc of https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.html[BCryptPasswordEncoder]. Your are encouagred to
tune and test the strength parameter on your own system so that it take roughly 1 second to verify a password.
[source,java] [source,java]
---- ----