When implementing authentication with Spring Security, you may face this warning:

Encoded password does not look like BCrypt

This causes login function does not work for your Spring application. There’s a couple reasons you got this error.

 

Reason #1:

The password stored in database is not in BCrypt format. A password encoded using BCrypt hash algorithm looks like this:

$2a$10$rfUczXcy3gmhT2Hft.ewI.jrK3JtBNVs0z7BLgx4x15xuYHI95mg6

To fix this issue, use a BCrypt generator tool online to encode your plain text password into BCrypt format. With Java, you can write a simple program to hash a plain text password using BCrypt algorithm like as follows:

package net.codejava;

import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;

public class PasswordEncoderTest {

	public static void main(String[] args) {
		BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
		String encodedPassword = passwordEncoder.encode("yourplaintextpassword");
		
		System.out.println(encodedPassword);

	}

}

Then update the password in database.

In case in-memory users are used, you can encode the passwords as below:

public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

	@Override
	protected void configure(AuthenticationManagerBuilder auth) throws Exception {
		PasswordEncoder encoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();
		
		auth.inMemoryAuthentication()
			.withUser("admin").password(encoder.encode("nimda"))
			.roles("ADMIN");
	}
	
}

Or using the {bcrypt} prefix for the encoded password like this:

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {

	auth.inMemoryAuthentication()
		.withUser("namhm").password("{bcrypt}$2a$10$fUXt47JTx/Rv/OHBkQgqAOvan445zDU7tCZcHr...")
		.roles("USER")
		;
}

 

Reason #2:

You use the prefix {bcrypt} in your password for in-memory users while explicitly specify the password encoder is BCrypt, for example:

@Bean
public PasswordEncoder passwordEncoder() {
	return new BCryptPasswordEncoder();	
}



@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {

	auth.inMemoryAuthentication()
		.withUser("namhm").password("{bcrypt}$2a$10$fUXt47JTx/Rv/OHBkQgqAOvan445zDU7tCZcHr...")
		.roles("USER")
		;
}

To fix the login issue and get rid of the warning “Encoded password does not look like BCrypt”, either remove the {bcrypt} prefix or remove the password encoder declaration.

 

Related Spring Security Tutorials:

• Spring Web MVC Security Basic Example Part 1 with XML Configuration
• Spring Web MVC Security Basic Example Part 2 (Java-based Configuration)

 

Other Spring Tutorials:

• Understand the core of Spring framework
• Understand Spring MVC
• Understand Spring AOP
• Spring MVC beginner tutorial with Spring Tool Suite IDE
• Spring MVC Form Handling Tutorial
• Spring MVC Form Validation Tutorial
• 14 Tips for Writing Spring MVC Controller
• Spring Web MVC Security Basic Example (XML Configuration)
• Understand Spring Data JPA with Simple Example