I'm using BCrypt in Spring and it's giving me different hashes then some online tools are using like https://bcrypt-generator.com/
Any ideas why?
I've tried setting the strength to 12 in Spring and on the bcrypt-generator.com setting rounds to 12 and it did not work.
DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
provider.setPasswordEncoder(new BCryptPasswordEncoder(12));
provider.setUserDetailsService(bettingBotUserDetailsService);
For the raw password "admin" I get these results:
bcrypt-generator.com with 12 rounds:
$2y$12$15h6Idq/TwfcuJu6H1VXie/ao7P4AKlLgIrC5yxbwlEUdJjx9Sl5S
Spring (captured from debug mode):
$2a$10$ED5wQChpxzagbvhlqEqD2.iIdIKv9ddvJcX0WKrQzSOckgc3RHFLW
BCrypt generates the different salt for the same Input. Bcrypt Algorithm
BCrypt returns a different hash each time because it incorporates a different random value into the hash. This is known as a "salt". It prevents people from attacking your hashed passwords with a "rainbow table"
, a pre-generated table mapping password hashes back to their passwords. The salt means that instead of there being one hash for a password, there's 2^16
of them.
We can check the hashed with normal string as follow
Boolean isMatch = passwordEncoder().matches(currentPassword,dbPassword);
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}