Class SCryptPasswordEncoder
- java.lang.Object
-
- org.springframework.security.crypto.scrypt.SCryptPasswordEncoder
-
- All Implemented Interfaces:
PasswordEncoder
public class SCryptPasswordEncoder extends java.lang.Object implements PasswordEncoder
Implementation of PasswordEncoder that uses the SCrypt hashing function. Clients can optionally supply a cpu cost parameter, a memory cost parameter and a parallelization parameter.
A few warnings:
- The currently implementation uses Bouncy castle which does not exploit parallelism/optimizations that password crackers will, so there is an unnecessary asymmetry between attacker and defender.
- Scrypt is based on Salsa20 which performs poorly in Java (on par with AES) but performs awesome (~4-5x faster) on SIMD capable platforms
- While there are some that would disagree, consider reading - Why I Don't Recommend Scrypt (for password storage)
-
-
Constructor Summary
Constructors Constructor Description SCryptPasswordEncoder()
Deprecated.UsedefaultsForSpringSecurity_v4_1()
insteadSCryptPasswordEncoder(int cpuCost, int memoryCost, int parallelization, int keyLength, int saltLength)
Constructs a SCrypt password encoder with the provided parameters.
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Deprecated Methods Modifier and Type Method Description static SCryptPasswordEncoder
defaultsForSpringSecurity_v4_1()
Deprecated.UsedefaultsForSpringSecurity_v5_8()
insteadstatic SCryptPasswordEncoder
defaultsForSpringSecurity_v5_8()
Constructs a SCrypt password encoder with cpu cost of 65,536, memory cost of 8, parallelization of 1, a key length of 32 and a salt length of 16 bytes.java.lang.String
encode(java.lang.CharSequence rawPassword)
Encode the raw password.boolean
matches(java.lang.CharSequence rawPassword, java.lang.String encodedPassword)
Verify the encoded password obtained from storage matches the submitted raw password after it too is encoded.boolean
upgradeEncoding(java.lang.String encodedPassword)
Returns true if the encoded password should be encoded again for better security, else false.
-
-
-
Constructor Detail
-
SCryptPasswordEncoder
@Deprecated public SCryptPasswordEncoder()
Deprecated.UsedefaultsForSpringSecurity_v4_1()
insteadConstructs a SCrypt password encoder with cpu cost of 16,384, memory cost of 8, parallelization of 1, a key length of 32 and a salt length of 64 bytes.
-
SCryptPasswordEncoder
public SCryptPasswordEncoder(int cpuCost, int memoryCost, int parallelization, int keyLength, int saltLength)
Constructs a SCrypt password encoder with the provided parameters.- Parameters:
cpuCost
- cpu cost of the algorithm (as defined in scrypt this is N). must be power of 2 greater than 1. Default is currently 65,536 or 2^16)memoryCost
- memory cost of the algorithm (as defined in scrypt this is r) Default is currently 8.parallelization
- the parallelization of the algorithm (as defined in scrypt this is p) Default is currently 1. Note that the implementation does not currently take advantage of parallelization.keyLength
- key length for the algorithm (as defined in scrypt this is dkLen). The default is currently 32.saltLength
- salt length (as defined in scrypt this is the length of S). The default is currently 16.
-
-
Method Detail
-
defaultsForSpringSecurity_v4_1
@Deprecated public static SCryptPasswordEncoder defaultsForSpringSecurity_v4_1()
Deprecated.UsedefaultsForSpringSecurity_v5_8()
insteadConstructs a SCrypt password encoder with cpu cost of 16,384, memory cost of 8, parallelization of 1, a key length of 32 and a salt length of 64 bytes.- Returns:
- the
SCryptPasswordEncoder
- Since:
- 5.8
-
defaultsForSpringSecurity_v5_8
public static SCryptPasswordEncoder defaultsForSpringSecurity_v5_8()
Constructs a SCrypt password encoder with cpu cost of 65,536, memory cost of 8, parallelization of 1, a key length of 32 and a salt length of 16 bytes.- Returns:
- the
SCryptPasswordEncoder
- Since:
- 5.8
-
encode
public java.lang.String encode(java.lang.CharSequence rawPassword)
Description copied from interface:PasswordEncoder
Encode the raw password. Generally, a good encoding algorithm applies a SHA-1 or greater hash combined with an 8-byte or greater randomly generated salt.- Specified by:
encode
in interfacePasswordEncoder
-
matches
public boolean matches(java.lang.CharSequence rawPassword, java.lang.String encodedPassword)
Description copied from interface:PasswordEncoder
Verify the encoded password obtained from storage matches the submitted raw password after it too is encoded. Returns true if the passwords match, false if they do not. The stored password itself is never decoded.- Specified by:
matches
in interfacePasswordEncoder
- Parameters:
rawPassword
- the raw password to encode and matchencodedPassword
- the encoded password from storage to compare with- Returns:
- true if the raw password, after encoding, matches the encoded password from storage
-
upgradeEncoding
public boolean upgradeEncoding(java.lang.String encodedPassword)
Description copied from interface:PasswordEncoder
Returns true if the encoded password should be encoded again for better security, else false. The default implementation always returns false.- Specified by:
upgradeEncoding
in interfacePasswordEncoder
- Parameters:
encodedPassword
- the encoded password to check- Returns:
- true if the encoded password should be encoded again for better security, else false.
-
-