Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is the most appropriate use of StandardPasswordEncoder for salting passwords in spring security 3.1?

I would like to add password salting to a site I am working on, and I discovered that Spring Security 3.1 has some new features to make this very easy to do.

I have a question about the StandardPasswordEncoder class. It operates a little differently than I would expect. It seems simpler to use than coding the salting myself, but I think there's some "magic" going on that I don't understand.

StandardPasswordEncoder seems to randomly salt the hash for me, which is fine. But upon matching the original password to the encoded password... how is it able to match the passwords without knowing what the original salt was in the first place?

It is to my understanding that once you make a salt, you can't go back... so if there's a random salt to generate the encoded hash in the first place... how is StandardPasswordEncoder able to match the password at a later point? I am confused. Shouldn't I have to get the salt, persist the salt in the database and then supply the salt? How is it able to do this without me storing and providing the salt value?

Thanks for clearing up the confusion. I hope my question makes sense.

like image 838
egervari Avatar asked Apr 14 '11 05:04

egervari


1 Answers

It stores hashed password concatenated with the salt, see StandardPasswordEncoder.java, so it knows the salt when checking the password.

like image 104
axtavt Avatar answered Oct 05 '22 05:10

axtavt