Spring Security : Encoded password does not look like BCrypt

In Spring Security, database authentication with bcrypt password hashing.

  import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
  import org.springframework.security.crypto.password.PasswordEncoder;
  //...
	String password = "123456";
	PasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
	String hashedPassword = passwordEncoder.encode(password);
spring-security.xml

  <authentication-manager>
	<authentication-provider>
	    <password-encoder hash="bcrypt" />
	    //...
	</authentication-provider>
  </authentication-manager>

CREATE  TABLE users (
  username VARCHAR(45) NOT NULL ,
  password VARCHAR(45) NOT NULL ,
  enabled TINYINT NOT NULL DEFAULT 1 ,
  PRIMARY KEY (username));

Review the debug output, it’s always said “Encoded password does not look like BCrypt“, even the correct password is provided.


//...
12:56:31.868 DEBUG o.s.jdbc.datasource.DataSourceUtils - Returning JDBC Connection to DataSource
12:56:31.868 WARN  o.s.s.c.bcrypt.BCryptPasswordEncoder - Encoded password does not look like BCrypt
12:56:31.868 DEBUG o.s.s.a.d.DaoAuthenticationProvider - Authentication failed: password does not match stored value

Solution

In bcrypt hashing algorithm, each time, a different hash value of length 60 is generated, for example


$2a$10$LOqePml/koRGsk2YAIOFI.1YNKZg7EsQ5BAIuYP1nWOyYRl21dlne

A common mistake, the length of the “password” column (users table) is less than 60, for example, password VARCHAR(45), and some databases will truncate the data automatically. So, you always get the warning “Encoded password does not look like BCrypt”.

To solve it, make sure the length of “password” column is at least 60.

About the Author

author image
mkyong
Founder of Mkyong.com, love Java and open source stuff. Follow him on Twitter. If you like my tutorials, consider make a donation to these charities.

Comments

avatar
6 Comment threads
3 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
9 Comment authors
jackDeviJayanthBrunoAleksandra Ojdana Recent comment authors
newest oldest most voted
Edward Beckett
Guest
Edward Beckett

Yep… an bCrypt always starts with ‘$2a$10’ …

Mark
Guest
Mark

Not anymore. They might be “$2b” or “$2y” now. And there is a bug in Spring Security that has a regex always looking for “$2a”

Bruno
Guest
Bruno

How can i fix it?

Devi
Guest
Devi

WARN Encoded password does not look like BCrypt 20:12::15.044 o.s.s.c.bcrypt.BCryptPasswordEncoder

In database when password is not encrypted the existing password(‘admin’) was working, but while i BCrypt the password through the BCrypt Hash Generator and store the same encryped password($2b$10$cvPkaVhbvjmzXtM6sNyIGuxH/lnI5o4FFbVwV28d9/NEOcEtZ2Xqy) is not able logged in why?

Please help me on this

Jayanth
Guest
Jayanth

Thanks.

Aleksandra Ojdana
Guest
Aleksandra Ojdana

Thanks a lot. Very helpful information :)

NaN
Guest
NaN

With MySQL db I noticed having 60 chars still shows this warning.
I set to 61 and it disappeared.

jack
Guest
jack

it’s really

Osako Norrey
Guest
Osako Norrey

Thanks man. Saved my day.