> For the complete documentation index, see [llms.txt](https://www.pranaypourkar.co.in/the-programmers-guide/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.pranaypourkar.co.in/the-programmers-guide/spring/spring-features/spring-security/authentication/core-components/userdetailsservice/passwordencoder.md). # PasswordEncoder ## About `PasswordEncoder` is a core interface in Spring Security that **handles password hashing and verification** to enhance security. It ensures that passwords are never stored as plaintext and helps **validate credentials securely** by comparing hashed passwords. Spring Security provides multiple implementations of `PasswordEncoder`, with **BCrypt** being the most commonly used due to its strong hashing algorithm and built-in salting mechanism. ## **Why is Password Encoding Important?** * **Prevents storing plaintext passwords** in databases. * **Enhances security** by hashing passwords before storing them. * **Uses one-way encryption**, making it difficult to reverse-engineer passwords. * **Protects against brute-force attacks** with slow hashing mechanisms. * **Ensures forward compatibility** by allowing seamless upgrades to stronger hashing algorithms. ## **PasswordEncoder Interface** Spring Security provides the following interface for password encoding: ```java public interface PasswordEncoder { String encode(CharSequence rawPassword); boolean matches(CharSequence rawPassword, String encodedPassword); } ```
MethodPurpose
encode(CharSequence rawPassword)Hashes the raw password.
matches(CharSequence rawPassword, String encodedPassword)Verifies the password against a stored hash.
## **Available Implementations of PasswordEncoder** Spring Security provides several implementations of `PasswordEncoder`, each designed for different security needs.
EncoderStrengthUsage
NoOpPasswordEncoderNot SecureStores plaintext passwords (Deprecated).
BCryptPasswordEncoderRecommendedUses bcrypt hashing with salting.
PBKDF2PasswordEncoderHighUses PBKDF2 key derivation function.
SCryptPasswordEncoderHighUses SCrypt hashing, suitable for memory-hard operations.
Argon2PasswordEncoderHighUses Argon2 hashing, winner of the Password Hashing Competition.
DelegatingPasswordEncoder🔄 FlexibleSupports multiple encoding types for seamless migration.
### **1. BCryptPasswordEncoder (Most Commonly Used)** `BCryptPasswordEncoder` is the most widely used password encoder because it automatically generates a **random salt**, making it resistant to **rainbow table attacks**. ```java @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } ``` * Uses **bcrypt hashing** algorithm. * Generates **a different hash even for the same password**. * Suitable for **high-security applications**. #### **Example Usage** ```java PasswordEncoder encoder = new BCryptPasswordEncoder(); String rawPassword = "securePassword"; String hashedPassword = encoder.encode(rawPassword); System.out.println("Encoded password: " + hashedPassword); boolean matches = encoder.matches("securePassword", hashedPassword); System.out.println("Password Match: " + matches); ``` * **Hashes the password before storing**. * **Compares hashed values** to verify authentication. ### **2. PBKDF2PasswordEncoder** PBKDF2 (Password-Based Key Derivation Function 2) is a **key-stretching algorithm** that uses multiple iterations to slow down brute-force attacks. ```java @Bean public PasswordEncoder passwordEncoder() { return new Pbkdf2PasswordEncoder(); } ``` * **Provides strong hashing** with configurable iteration count. * More resistant to **GPU-based brute-force attacks** than bcrypt. ### **3. SCryptPasswordEncoder** SCrypt is a **memory-hard** password hashing algorithm, making it highly secure. ```java @Bean public PasswordEncoder passwordEncoder() { return new SCryptPasswordEncoder(); } ``` * Uses **high memory usage** to slow down attackers. * Ideal for **modern authentication systems**. ### **4. Argon2PasswordEncoder** (Most Secure) Argon2 is the **winner of the Password Hashing Competition (PHC)** and is considered one of the best hashing algorithms. ```java @Bean public PasswordEncoder passwordEncoder() { return new Argon2PasswordEncoder(); } ``` * **Highly secure** and resistant to brute-force attacks. * **Memory-intensive**, making it difficult to attack using GPUs. ### **5. NoOpPasswordEncoder (Deprecated & Insecure)** `NoOpPasswordEncoder` **does not hash passwords** and stores them in plaintext. **Never use it in production!** ```java @Bean public PasswordEncoder passwordEncoder() { return NoOpPasswordEncoder.getInstance(); } ``` * Only useful for testing purposes. * Insecure – passwords remain in plaintext. ### **6. DelegatingPasswordEncoder (Handles Migrations)** When migrating from **one hashing algorithm to another**, `DelegatingPasswordEncoder` allows backward compatibility. ```java @Bean public PasswordEncoder passwordEncoder() { return PasswordEncoderFactories.createDelegatingPasswordEncoder(); } ``` * **Supports multiple encoding mechanisms**. * Automatically **migrates passwords** from old hashing formats. #### **Example Hash Storage Format** Passwords encoded with `DelegatingPasswordEncoder` are stored like this: ``` {bcrypt}$2a$10$hG1KbAp82KgVsNfM/Wpm6ePEpLv.Kz/PZEV6QuUz6rUVIuT4OAiWi ``` * `{bcrypt}` specifies which algorithm was used. * This helps with **seamless migration** to new hashing algorithms. ## **Password Encoding Configuration** ### **Spring Boot 2 (`WebSecurityConfigurerAdapter`)** ```java @Configuration @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private UserDetailsService userDetailsService; @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder()); } } ``` * Uses `WebSecurityConfigurerAdapter` (Deprecated in Spring Security 5.7+). * Defines `PasswordEncoder` as a bean. ### **Spring Boot 3 (Bean-based Security Configuration)** ```java @Configuration @EnableWebSecurity public class SecurityConfig { @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } @Bean public AuthenticationManager authenticationManager(UserDetailsService userDetailsService, PasswordEncoder passwordEncoder) { DaoAuthenticationProvider provider = new DaoAuthenticationProvider(); provider.setUserDetailsService(userDetailsService); provider.setPasswordEncoder(passwordEncoder); return new ProviderManager(List.of(provider)); } } ``` * Uses explicit bean-based security configuration. * Defines `PasswordEncoder` as a Spring Bean. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://www.pranaypourkar.co.in/the-programmers-guide/spring/spring-features/spring-security/authentication/core-components/userdetailsservice/passwordencoder.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.