Package org.springframework.security.crypto.password

Class StandardPasswordEncoder

java.lang.Object
org.springframework.security.crypto.password.AbstractValidatingPasswordEncoder
org.springframework.security.crypto.password.StandardPasswordEncoder
All Implemented Interfaces:
PasswordEncoder
@Deprecated public final class StandardPasswordEncoder extends AbstractValidatingPasswordEncoder
Deprecated.
Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better use DelegatingPasswordEncoder which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.
This PasswordEncoder is provided for legacy purposes only and is not considered secure. A standard PasswordEncoder implementation that uses SHA-256 hashing with 1024 iterations and a random 8-byte random salt value. It uses an additional system-wide secret value to provide additional protection.

The digest algorithm is invoked on the concatenated bytes of the salt, secret and password.

If you are developing a new system, BCryptPasswordEncoder is a better choice both in terms of security and interoperability with other languages.

  • Constructor Details

    • StandardPasswordEncoder

      public StandardPasswordEncoder()
      Deprecated.
      Constructs a standard password encoder with no additional secret value.

    • StandardPasswordEncoder

      public StandardPasswordEncoder(CharSequence secret)
      Deprecated.
      Constructs a standard password encoder with a secret value which is also included in the password hash.
      Parameters:
      secret - the secret key used in the encoding process (should not be shared)

  • Method Details