Encrypt passwords

[KorynLA]

• The passwords need to be hashed BEFORE they are saved in the database. This prevents password leaks (if there is a database breach) as many people use the same password for multiple accounts.
• Hashing is the best method to save passwords, but fast brute force can still get the passwords. The goal is to hash & cause brute force to take too long to get the password.

With Spring Boot Bcrypt PasswordEncoder seems to use one of the better algorithms.

[rdelhommer]

Bcrypt looks like it would work well. There is one potential issue that I've noticed in the documentation on their github and it's that there is a fairly short maximum character limit to the string being hashed.

Due to the limitation in the Blowfish cipher, the maximum password length is 72 bytes (note that UTF-8 encoded, a character can be as much as 4 bytes). Including the null-terminator byte, this will be reduced to 71 bytes. Per default, the hash() method will throw an exception if the provided password is too long.

Length is an important factor when determining password strength. If you're ok with this length restriction, then I think Bcrypt is a good option. Otherwise, there are other options out there like jasypt.

Also, your analysis on why passwords are hashed is good. I didnt see any mention of the salt though. It's also an important component in the process for securing passwords.

[KorynLA]

I will look into jasypt.

Also, question, from the examples I've seen the password has been encoded in userService directly before it is saved to the db. Could this instead be done with a filter? Take the request from the user -> password is found in the JSON while filter is checking -> update the password field with the encoded version -> sent to controller (or another filter -> authentication).

[rdelhommer]

I dont think this would be possible using the existing Filter concepts in Spring. Filters essentially provide functionality that wraps the controller method. Basically, pre-controller hook -> controller -> post-controller hook.

It's a good idea though.... I think you could probably do something with the lifecycle events. If you added a hook for onBeforeConvert or onBeforeSave I think you could have some functionality that auto-hashes the password.