Package org.springframework.security.crypto.password

Class StandardPasswordEncoder

  • All Implemented Interfaces:
    PasswordEncoder
    @Deprecated
public final class StandardPasswordEncoder
extends java.lang.Object
implements PasswordEncoder
    Deprecated.
    Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better use DelegatingPasswordEncoder which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.
    This PasswordEncoder is provided for legacy purposes only and is not considered secure. A standard PasswordEncoder implementation that uses SHA-256 hashing with 1024 iterations and a random 8-byte random salt value. It uses an additional system-wide secret value to provide additional protection.

    The digest algorithm is invoked on the concatenated bytes of the salt, secret and password.

    If you are developing a new system, BCryptPasswordEncoder is a better choice both in terms of security and interoperability with other languages.

    • Constructor Summary

      Constructors 
      Constructor Description
      StandardPasswordEncoder()
      Deprecated.
      Constructs a standard password encoder with no additional secret value.
      StandardPasswordEncoder​(java.lang.CharSequence secret)
      Deprecated.
      Constructs a standard password encoder with a secret value which is also included in the password hash.

    • Method Summary

      All Methods Instance Methods Concrete Methods Deprecated Methods 
      Modifier and Type Method Description
      java.lang.String encode​(java.lang.CharSequence rawPassword)
      Deprecated.
      Encode the raw password.
      boolean matches​(java.lang.CharSequence rawPassword, java.lang.String encodedPassword)
      Deprecated.
      Verify the encoded password obtained from storage matches the submitted raw password after it too is encoded.

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Constructor Detail

      • StandardPasswordEncoder

        public StandardPasswordEncoder()
        Deprecated.
        Constructs a standard password encoder with no additional secret value.

      • StandardPasswordEncoder

        public StandardPasswordEncoder​(java.lang.CharSequence secret)
        Deprecated.
        Constructs a standard password encoder with a secret value which is also included in the password hash.
        Parameters:
        secret - the secret key used in the encoding process (should not be shared)

    • Method Detail

      • encode

        public java.lang.String encode​(java.lang.CharSequence rawPassword)
        Deprecated.
        Description copied from interface: PasswordEncoder
        Encode the raw password. Generally, a good encoding algorithm applies a SHA-1 or greater hash combined with an 8-byte or greater randomly generated salt.
        Specified by:
        encode in interface PasswordEncoder

      • matches

        public boolean matches​(java.lang.CharSequence rawPassword,
                       java.lang.String encodedPassword)
        Deprecated.
        Description copied from interface: PasswordEncoder
        Verify the encoded password obtained from storage matches the submitted raw password after it too is encoded. Returns true if the passwords match, false if they do not. The stored password itself is never decoded.
        Specified by:
        matches in interface PasswordEncoder
        Parameters:
        rawPassword - the raw password to encode and match
        encodedPassword - the encoded password from storage to compare with
        Returns:
        true if the raw password, after encoding, matches the encoded password from storage