Spring Security : Encoded password does not look like BCrypt
In Spring Security, database authentication with bcrypt password hashing.
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
//...
String password = "123456";
PasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
String hashedPassword = passwordEncoder.encode(password);
spring-security.xml
<authentication-manager>
<authentication-provider>
<password-encoder hash="bcrypt" />
//...
</authentication-provider>
</authentication-manager>
CREATE TABLE users (
username VARCHAR(45) NOT NULL ,
password VARCHAR(45) NOT NULL ,
enabled TINYINT NOT NULL DEFAULT 1 ,
PRIMARY KEY (username));
Review the debug output, it’s always said “Encoded password does not look like BCrypt“, even the correct password is provided.
//...
12:56:31.868 DEBUG o.s.jdbc.datasource.DataSourceUtils - Returning JDBC Connection to DataSource
12:56:31.868 WARN o.s.s.c.bcrypt.BCryptPasswordEncoder - Encoded password does not look like BCrypt
12:56:31.868 DEBUG o.s.s.a.d.DaoAuthenticationProvider - Authentication failed: password does not match stored value
Solution
In bcrypt hashing algorithm, each time, a different hash value of length 60 is generated, for example
$2a$10$LOqePml/koRGsk2YAIOFI.1YNKZg7EsQ5BAIuYP1nWOyYRl21dlne
A common mistake, the length of the “password” column (users table) is less than 60, for example, password VARCHAR(45)
, and some databases will truncate the data automatically. So, you always get the warning “Encoded password does not look like BCrypt”.
To solve it, make sure the length of “password” column is at least 60.
Hi, I’ve set the password is 100, but I still get BCryptPasswordEncoder Empty encoded password ????
Thanks man. Saved my day.
WARN Encoded password does not look like BCrypt 20:12::15.044 o.s.s.c.bcrypt.BCryptPasswordEncoder
In database when password is not encrypted the existing password(‘admin’) was working, but while i BCrypt the password through the BCrypt Hash Generator and store the same encryped password($2b$10$cvPkaVhbvjmzXtM6sNyIGuxH/lnI5o4FFbVwV28d9/NEOcEtZ2Xqy) is not able logged in why?
Please help me on this
Thanks.
Thanks a lot. Very helpful information 🙂
With MySQL db I noticed having 60 chars still shows this warning.
I set to 61 and it disappeared.
it’s really
Yep… an bCrypt always starts with ‘$2a$10’ …
Not anymore. They might be “$2b” or “$2y” now. And there is a bug in Spring Security that has a regex always looking for “$2a”
How can i fix it?