Does JBCryptPasswordEncoder reuse the same salt?
3 views
Skip to first unread message
Ioan Eugen Stan
Jun 24, 2024, 8:27:57 AM6/24/24
to Pac4j development mailing list
Hello,
I'm loking at the code and it seems that the way JBCryptPasswordEncoder is used in the salt is reused for all passwords.
The salt is saved for the lifetime of the encoder.
public class JBCryptPasswordEncoder implements PasswordEncoder {
private String salt;
public JBCryptPasswordEncoder(final String salt) {
this.salt = salt;
}
private String salt;
public JBCryptPasswordEncoder(final String salt) {
this.salt = salt;
}
Compared with the Spring implementation, where the salt is generated during the encoding phase.
public String encode(CharSequence rawPassword) {
byte[] salt = this.saltGenerator.generateKey();
byte[] hash = new byte[this.hashLength];
byte[] salt = this.saltGenerator.generateKey();
byte[] hash = new byte[this.hashLength];
IMO, JBCryptPasswordEncoder is insecure and should be fixed / removed.
Regards,
Eugen
Jérôme LELEU
Jun 24, 2024, 12:00:48 PM6/24/24
to Ioan Eugen Stan, Pac4j development mailing list
Hi,
Thanks.
Best regards,
Jérôme
--
You received this message because you are subscribed to the Google Groups "Pac4j development mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-dev+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pac4j-dev/36d62795-52e0-49a7-a320-8ac7df568231n%40googlegroups.com.
Ioan Eugen Stan
Jun 27, 2024, 11:28:06 PM6/27/24
to Pac4j development mailing list
Merci :)
Reply all
Reply to author
Forward
0 new messages