Package org.springframework.security.crypto.argon2

Class Argon2PasswordEncoder

java.lang.Object
org.springframework.security.crypto.argon2.Argon2PasswordEncoder
All Implemented Interfaces:
PasswordEncoder
public class Argon2PasswordEncoder extends Object implements PasswordEncoder

Implementation of PasswordEncoder that uses the Argon2 hashing function. Clients can optionally supply the length of the salt to use, the length of the generated hash, a cpu cost parameter, a memory cost parameter and a parallelization parameter.

Note:

The currently implementation uses Bouncy castle which does not exploit parallelism/optimizations that password crackers will, so there is an unnecessary asymmetry between attacker and defender.

Since:
5.3

  • Constructor Details

    • Argon2PasswordEncoder

      public Argon2PasswordEncoder(int saltLength, int hashLength, int parallelism, int memory, int iterations)
      Constructs an Argon2 password encoder with the provided parameters.
      Parameters:
      saltLength - the salt length (in bytes)
      hashLength - the hash length (in bytes)
      parallelism - the parallelism
      memory - the memory cost
      iterations - the number of iterations

  • Method Details

    • defaultsForSpringSecurity_v5_2

      @Deprecated public static Argon2PasswordEncoder defaultsForSpringSecurity_v5_2()
      Deprecated.
      Use defaultsForSpringSecurity_v5_8() instead
      Constructs an Argon2 password encoder with a salt length of 16 bytes, a hash length of 32 bytes, parallelism of 1, memory cost of 1 << 12 and 3 iterations.
      Returns:
      the Argon2PasswordEncoder
      Since:
      5.8

    • defaultsForSpringSecurity_v5_8

      public static Argon2PasswordEncoder defaultsForSpringSecurity_v5_8()
      Constructs an Argon2 password encoder with a salt length of 16 bytes, a hash length of 32 bytes, parallelism of 1, memory cost of 1 << 14 and 2 iterations.
      Returns:
      the Argon2PasswordEncoder
      Since:
      5.8

    • encode

      public String encode(CharSequence rawPassword)
      Description copied from interface: PasswordEncoder
      Encode the raw password. Generally, a good encoding algorithm applies a SHA-1 or greater hash combined with an 8-byte or greater randomly generated salt.
      Specified by:
      encode in interface PasswordEncoder

    • matches

      public boolean matches(CharSequence rawPassword, String encodedPassword)
      Description copied from interface: PasswordEncoder
      Verify the encoded password obtained from storage matches the submitted raw password after it too is encoded. Returns true if the passwords match, false if they do not. The stored password itself is never decoded.
      Specified by:
      matches in interface PasswordEncoder
      Parameters:
      rawPassword - the raw password to encode and match
      encodedPassword - the encoded password from storage to compare with
      Returns:
      true if the raw password, after encoding, matches the encoded password from storage

    • upgradeEncoding

      public boolean upgradeEncoding(String encodedPassword)
      Description copied from interface: PasswordEncoder
      Returns true if the encoded password should be encoded again for better security, else false. The default implementation always returns false.
      Specified by:
      upgradeEncoding in interface PasswordEncoder
      Parameters:
      encodedPassword - the encoded password to check
      Returns:
      true if the encoded password should be encoded again for better security, else false.