I want to create my User table and set a proper size for password field used for signup request.
@Entity
@EqualsAndHashCode(callSuper = true)
public class User extends Person {
@Column(length = 50, nullable = false, unique = true)
private String username;
@Column(length = 120, nullable = false)
private String password;
}
But in here, I should think the length of the encrypted password. I made a search but could not found a solution. So, when using Spring Security, what is the password length in the User table (encrypted) and max length for password field while registering user?
Spring Security may create proper data properties, but even so, I want to know the algorithm and the length for password field.
Any help would be appreciated.
If you use spring security 's suggestion which use DelegatingPasswordEncoder , it will always use BCrypt to encode a new password.
And from this answer , the total length of a BCrypt hashed password is always about 60 bytes no matter how many characters does the password has. The hashed password also needed to be prefixed with {bcrypt} which is 8 bytes in order for DelegatingPasswordEncoder can decode it. We give it some extra bytes for buffer and so make its column to be varchar(80) or so should be more than enough.
For the maximum length of the password that an user can use ,it depends on your business requirement. Just judge it by common sense and give it enough buffer should be okay. For example, do you think it is common for a person to set his login password to be 200 characters ? If you think it does not make sense , most probably you need to choose the maximum length to a smaller value until you find a maximum value that make sense to you and then give it some buffer.