Spring security with Bcrypt

Asked by At

I am using Bcrypt as password hashing algorithm for Spring security project.

When I tried using online Bcrypt calculator it generates different hash values for the same plain text password. This is due to salting which I understood.

But for authentication in a real spring security app the application reads the password entered by user and generates bcrypt hash and then compares it with the bcrypt hash stored in database. If it matches it authenticates the user.

How does it match if bcrypt generates different values each time.?

1 Answers

JB Nizet On

The hashing method generates a string which contains both the hash itself and the salt.

The checking method reads the hash stored in the string, and hashes the plaintext password with that hash (the same that was used when first hashing the password).

See wikipedia for a more detailed description