• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Bear Bibeault
  • Tim Cooke
  • Junilu Lacar
Sheriffs:
  • Paul Clapham
  • Devaka Cooray
  • Knute Snortum
Saloon Keepers:
  • Ron McLeod
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Frits Walraven
Bartenders:
  • Carey Brown
  • salvin francis
  • Claude Moore

Password encoding in Spring using Argon2  RSS feed

 
Ranch Hand
Posts: 640
2
Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Is there any implementation of Argon2 in Spring Security? I can't find any API for it.
The framework has support for Bcrypt and Scrypt, if Argon2 is not supported, which is the best one to choose from - Brypt vs Scrypt ??
 
Saloon Keeper
Posts: 10101
212
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Why do you want to use Argon2? I can find a PasswordEncoder implementation on GitHub, but nothing that looks official.

The documentation for PasswordEncoder itself states that BCrypt is recommended.
 
Puspender Tanwar
Ranch Hand
Posts: 640
2
Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Stephan van Hulst wrote:Why do you want to use Argon2?


I read a Stackoverflow answer that Argon2 is better choice.

The documentation for PasswordEncoder itself states that BCrypt is recommended.


Isn't SCrypt better choice than Bcrypt?
 
Stephan van Hulst
Saloon Keeper
Posts: 10101
212
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Likely, but that doesn't mean that the particular implementation for Java or Spring of SCrypt is better than the implementation of BCrypt.

Personally, I would pick the strongest algorithm that is provided by the Java Cryptography Architecture, which is PBKDF2, OR whatever your framework recommends, which is BCrypt.

I'm sure that once security experts reach consensus one what's the best algorithm to use, the platform or frameworks will be updated accordingly.

It possibly doesn't matter anyway. For the purposes you intend to use it, PBKDF2, BCrypt, SCrypt or Argon2 are probably all more than sufficient.
 
Puspender Tanwar
Ranch Hand
Posts: 640
2
Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks.
I have a doubt, suppose one day the Bcrypt would no more be secure enough(like the few others), how the large existing application handles migrating the already created user? How they decrypt the passwords using the new algorithm?
 
Stephan van Hulst
Saloon Keeper
Posts: 10101
212
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
When the user successfully logs in with the old algorithm, you can replace their existing key with a new one derived from the password they used to log in with.
 
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!