What is the “strength” parameter in BcryptEncoder of Spring Security
Recently I was asked about to explain when one application uses BcryptEncoder(10), can the other application uses BcryptEncoder(11) and two can work for the same password?
The short answer: yes, this can work, and this parameter is designed for increasing over time when hardware becomes more powerful, in order to slow down the brute-force attack.
(If you have no idea about hashing password, I recommend to read https://auth0.com/blog/hashing-passwords-one-way-road-to-security/)
Let’s first have a look at the Spring Security doc: strength
- the log rounds to use, between 4 and 31, https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.html#%3Cinit%3E(int)
Main doubt: Is this a parameter affecting the random text used for hashing? We know a random text(salt) is appended or preappended to the hashed version of the plaintext, so the same password won’t have the same hashed version.
Answer: this parameter is used for deriving a set of subtexts from the orignal password, in order to slow down so the attacker would have to spend more time.
(If you don’t know about salt, I recommend to read https://auth0.com/blog/adding-salt-to-hashing-a-better-way-to-store-passwords/)
Q: What’s the best value for strength
?
Answer: In general user can wait 1 second to 2 seconds to log in, so you adjust the value and let the authentication take about 1 to 2 seconds to balance security and user experience. When I log in to Facebook, it takes approximately 1 to 2 seconds.
If you want to know more about bcrypt, I recommend to read
https://auth0.com/blog/hashing-in-action-understanding-bcrypt/
There are also disadvantages for bcrypt
- Need extra computational resources to process large volumes of authentication requests
- DDoS Attack will be easier to mount: bcrypt is slow and can cause the authentication process prone to DDoS attack.
To solve the above issue, you can
- Pick a lower “strength“ parameter
- Make the user solve a CAPTCHA when they log in.
- Restrict IP address for the amount of authentication
- Support Remember-me so user only needs to re-authenticate after days/weeks