Spring Security : Encoded password does not look like BCrypt

By mkyong | Updated: May 20, 2014

Viewed: 4,933 (+118 pv/w)

In Spring Security, database authentication with bcrypt password hashing.

  import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
  import org.springframework.security.crypto.password.PasswordEncoder;
  //...
	String password = "123456";
	PasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
	String hashedPassword = passwordEncoder.encode(password);

spring-security.xml


  <authentication-manager>
	<authentication-provider>
	    <password-encoder hash="bcrypt" />
	    //...
	</authentication-provider>
  </authentication-manager>


CREATE  TABLE users (
  username VARCHAR(45) NOT NULL ,
  password VARCHAR(45) NOT NULL ,
  enabled TINYINT NOT NULL DEFAULT 1 ,
  PRIMARY KEY (username));

Review the debug output, it’s always said “Encoded password does not look like BCrypt“, even the correct password is provided.


//...
12:56:31.868 DEBUG o.s.jdbc.datasource.DataSourceUtils - Returning JDBC Connection to DataSource
12:56:31.868 WARN  o.s.s.c.bcrypt.BCryptPasswordEncoder - Encoded password does not look like BCrypt
12:56:31.868 DEBUG o.s.s.a.d.DaoAuthenticationProvider - Authentication failed: password does not match stored value

Solution

In bcrypt hashing algorithm, each time, a different hash value of length 60 is generated, for example


$2a$10$LOqePml/koRGsk2YAIOFI.1YNKZg7EsQ5BAIuYP1nWOyYRl21dlne

A common mistake, the length of the “password” column (users table) is less than 60, for example, password VARCHAR(45), and some databases will truncate the data automatically. So, you always get the warning “Encoded password does not look like BCrypt”.

To solve it, make sure the length of “password” column is at least 60.

About Author

mkyong

Founder of Mkyong.com, love Java and open source stuff. Follow him on Twitter. If you like my tutorials, consider make a donation to these charities.

Comments

10 Comments

Most Voted

Newest Oldest

Inline Feedbacks

View all comments

Alan

3 years ago

Hi, I’ve set the password is 100, but I still get BCryptPasswordEncoder Empty encoded password ????

Osako Norrey

8 years ago

Thanks man. Saved my day.

Devi

5 years ago

WARN Encoded password does not look like BCrypt 20:12::15.044 o.s.s.c.bcrypt.BCryptPasswordEncoder

In database when password is not encrypted the existing password(‘admin’) was working, but while i BCrypt the password through the BCrypt Hash Generator and store the same encryped password($2b$10$cvPkaVhbvjmzXtM6sNyIGuxH/lnI5o4FFbVwV28d9/NEOcEtZ2Xqy) is not able logged in why?

Please help me on this

Jayanth

5 years ago

Thanks.

Aleksandra Ojdana

6 years ago

Thanks a lot. Very helpful information 🙂

NaN

8 years ago

With MySQL db I noticed having 60 chars still shows this warning.
I set to 61 and it disappeared.

jack

4 years ago

Reply to NaN

it’s really

Edward Beckett

9 years ago

Yep… an bCrypt always starts with ‘$2a$10’ …

Mark

6 years ago

Reply to Edward Beckett

Not anymore. They might be “$2b” or “$2y” now. And there is a bug in Spring Security that has a regex always looking for “$2a”

Bruno

5 years ago

Reply to Mark

How can i fix it?

	This comment is spam
	This comment is irrelevant
	This comment is abusive
	Other