When implementing authentication with Spring Security, you may face this warning:

Encoded password does not look like BCrypt

This causes login function does not work for your Spring application. There’s a couple reasons you got this error.

 

Reason #1:

The password stored in database is not in BCrypt format. A password encoded using BCrypt hash algorithm looks like this:

$2a$10$rfUczXcy3gmhT2Hft.ewI.jrK3JtBNVs0z7BLgx4x15xuYHI95mg6

To fix this issue, use a BCrypt generator tool online to encode your plain text password into BCrypt format. With Java, you can write a simple program to hash a plain text password using BCrypt algorithm like as follows:

package net.codejava;

import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;

public class PasswordEncoderTest {

	public static void main(String[] args) {
		BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
		String encodedPassword = passwordEncoder.encode("yourplaintextpassword");
		
		System.out.println(encodedPassword);

	}

}

Then update the password in database.

In case in-memory users are used, you can encode the passwords as below:

public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

	@Override
	protected void configure(AuthenticationManagerBuilder auth) throws Exception {
		PasswordEncoder encoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();
		
		auth.inMemoryAuthentication()
			.withUser("admin").password(encoder.encode("nimda"))
			.roles("ADMIN");
	}
	
}

Or using the {bcrypt} prefix for the encoded password like this:

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {

	auth.inMemoryAuthentication()
		.withUser("namhm").password("{bcrypt}$2a$10$fUXt47JTx/Rv/OHBkQgqAOvan445zDU7tCZcHr...")
		.roles("USER")
		;
}

 

Reason #2:

You use the prefix {bcrypt} in your password for in-memory users while explicitly specify the password encoder is BCrypt, for example:

@Bean
public PasswordEncoder passwordEncoder() {
	return new BCryptPasswordEncoder();	
}



@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {

	auth.inMemoryAuthentication()
		.withUser("namhm").password("{bcrypt}$2a$10$fUXt47JTx/Rv/OHBkQgqAOvan445zDU7tCZcHr...")
		.roles("USER")
		;
}

To fix the login issue and get rid of the warning “Encoded password does not look like BCrypt”, either remove the {bcrypt} prefix or remove the password encoder declaration.

 

Related Spring Security Tutorials:

 

Other Spring Tutorials:


About the Author:

is certified Java programmer (SCJP and SCWCD). He began programming with Java back in the days of Java 1.4 and has been passionate about it ever since. You can connect with him on Facebook and watch his Java videos on YouTube.



Add comment