Open in app

Sign in

Write

Sign in

What is the “strength” parameter in BcryptEncoder of Spring Security

Hugo
2 min readDec 7, 2021

Recently I was asked about to explain when one application uses BcryptEncoder(10), can the other application uses BcryptEncoder(11) and two can work for the same password?

The short answer: yes, this can work, and this parameter is designed for increasing over time when hardware becomes more powerful, in order to slow down the brute-force attack.

(If you have no idea about hashing password, I recommend to read https://auth0.com/blog/hashing-passwords-one-way-road-to-security/)

Let’s first have a look at the Spring Security doc: strength - the log rounds to use, between 4 and 31, https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.html#%3Cinit%3E(int)

Main doubt: Is this a parameter affecting the random text used for hashing? We know a random text(salt) is appended or preappended to the hashed version of the plaintext, so the same password won’t have the same hashed version.

Answer: this parameter is used for deriving a set of subtexts from the orignal password, in order to slow down so the attacker would have to spend more time.

(If you don’t know about salt, I recommend to read https://auth0.com/blog/adding-salt-to-hashing-a-better-way-to-store-passwords/)

Q: What’s the best value for strength?

Answer: In general user can wait 1 second to 2 seconds to log in, so you adjust the value and let the authentication take about 1 to 2 seconds to balance security and user experience. When I log in to Facebook, it takes approximately 1 to 2 seconds.

If you want to know more about bcrypt, I recommend to read

https://auth0.com/blog/hashing-in-action-understanding-bcrypt/

https://www.baeldung.com/spring-security-registration-password-encoding-bcrypt#define-the-password-encoder

There are also disadvantages for bcrypt

  • Need extra computational resources to process large volumes of authentication requests
  • DDoS Attack will be easier to mount: bcrypt is slow and can cause the authentication process prone to DDoS attack.

To solve the above issue, you can

  • Pick a lower “strength“ parameter
  • Make the user solve a CAPTCHA when they log in.
  • Restrict IP address for the amount of authentication
  • Support Remember-me so user only needs to re-authenticate after days/weeks
Spring Security
Bcrypt

--

--

Hugo

Written by Hugo

15 Followers

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams