BCrypt updating the library and interations - would it break my login?

56
January 11, 2019, at 10:30 AM

I’ve an old legacy application using Spring Security (3.1.0) for the BCrypt implementation. The hashes have some format like

$2a$10$Cas1.FrwwQ3...WqS1i31gHrk12J9YK

For the implementation the encoder:

PasswordEncoder BCRYPT = new BCryptPasswordEncoder(BCRYP_ITERATIONS);

is used for creating hash (to be stored in database) and for matching.

My questions are:

  1. If I simply change the BCRYP_ITERATIONS from currently 10 to 18 would this break my login?
    From how I understand BCrypt it would not – as for the matching it would simply use the iteration value that is stored inside the hash itself ($2a$10$). And for creating new hashes to be stored in database the new value is used.

  2. If I’m updating the library to recent implementation that uses new version ($2b$) of BCryprt – would this break my login?
    As it somehow changes the method I would say yes – is this true?

Answer 1

1: if I simply change the BCRYP_ITERATIONS from currently 10 to 18 – would this break my login? From how I understand BCrypt it would not – as for the matching it would simply use the iteration value that is stored inside the hash itself ( $2a$10$). And for creating new hashes to be stored in Database the new value is used.

Yes, you are correct. This will not break your existing password hashes stored and will take the iterations from the hashed password itself not from the value of BCRYP_ITERATIONS.

2: If I’m updating the library to recent implementation that uses new version ($2b$) of BCryprt – would this break my login? As it somehow changes the method I would say Yes – is this true?

If you change from $2a$ to $2b$ it is just a minor version change. This means those are just bug fixes or slight enhancements to safety and performance so it would not break the functionality.

Answer 2

Upgrading Spring Security shouldn't break your login, because the latest snapshot of Spring Security 5.2 still supports $2a, see BCryptPasswordEncoder:

Implementation of PasswordEncoder that uses the BCrypt strong hashing function. Clients can optionally supply a "version" ($2a, $2b, $2y) and a "strength" (a.k.a. log rounds in BCrypt) and a SecureRandom instance. The larger the strength parameter the more work will have to be done (exponentially) to hash the passwords. The default value is 10.

neither should 18 log rounds break your login, because the latest snapshot of Spring Security 5.2 still supports 4 to 31 log rounds, see BCryptPasswordEncoder:

strength - the log rounds to use, between 4 and 31

READ ALSO
How would you insert one node into another at the treepath?

How would you insert one node into another at the treepath?

I have two nodes and one TreePath in Java SwingOne node contains the 'root' node (let's call this nodeA), it contains everything under it

42
How to lazy fetch only parts of the children entity from the parent entity?

How to lazy fetch only parts of the children entity from the parent entity?

I have a class Department that has a child entity Student(Many to one relationship as a Department can have many students List<Student>

31
How to call a method that has a JPanel over multiple instances in Java [on hold]

How to call a method that has a JPanel over multiple instances in Java [on hold]

I'm trying to make multiple objects with of a class (the Tic class), each with its own JPanel with buttons and stuffRight now when I make instances of the class they all add their buttons to the same JFrame

55