Win a copy of Spring in Action (5th edition) this week in the Spring forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Bear Bibeault
  • Devaka Cooray
  • Liutauras Vilda
  • Jeanne Boyarsky
Sheriffs:
  • Knute Snortum
  • Junilu Lacar
  • paul wheaton
Saloon Keepers:
  • Ganesh Patekar
  • Frits Walraven
  • Tim Moores
  • Ron McLeod
  • Carey Brown
Bartenders:
  • Stephan van Hulst
  • salvin francis
  • Tim Holloway

Password encoding in Spring using Argon2  RSS feed

 
Ranch Hand
Posts: 626
2
Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Is there any implementation of Argon2 in Spring Security? I can't find any API for it.
The framework has support for Bcrypt and Scrypt, if Argon2 is not supported, which is the best one to choose from - Brypt vs Scrypt ??
 
Bartender
Posts: 9493
184
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Why do you want to use Argon2? I can find a PasswordEncoder implementation on GitHub, but nothing that looks official.

The documentation for PasswordEncoder itself states that BCrypt is recommended.
 
Puspender Tanwar
Ranch Hand
Posts: 626
2
Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Stephan van Hulst wrote:Why do you want to use Argon2?


I read a Stackoverflow answer that Argon2 is better choice.

The documentation for PasswordEncoder itself states that BCrypt is recommended.


Isn't SCrypt better choice than Bcrypt?
 
Stephan van Hulst
Bartender
Posts: 9493
184
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Likely, but that doesn't mean that the particular implementation for Java or Spring of SCrypt is better than the implementation of BCrypt.

Personally, I would pick the strongest algorithm that is provided by the Java Cryptography Architecture, which is PBKDF2, OR whatever your framework recommends, which is BCrypt.

I'm sure that once security experts reach consensus one what's the best algorithm to use, the platform or frameworks will be updated accordingly.

It possibly doesn't matter anyway. For the purposes you intend to use it, PBKDF2, BCrypt, SCrypt or Argon2 are probably all more than sufficient.
 
Puspender Tanwar
Ranch Hand
Posts: 626
2
Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks.
I have a doubt, suppose one day the Bcrypt would no more be secure enough(like the few others), how the large existing application handles migrating the already created user? How they decrypt the passwords using the new algorithm?
 
Stephan van Hulst
Bartender
Posts: 9493
184
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
When the user successfully logs in with the old algorithm, you can replace their existing key with a new one derived from the password they used to log in with.
 
Good night. Drive safely. Here's a tiny ad for the road:
Download Free Java APIs to Work with Office Files and PDF
htttp://www.e-iceblue.com/free-apis.html
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!