This week's book giveaway is in the OCAJP 8 forum. We're giving away four copies of OCA Java SE 8 Programmer I Study Guide and have Edward Finegan & Robert Liguori on-line! See this thread for details.
We are enhancing our encryption by double encryption.
Till now we have only one encryption (SHA-1 Hashed) and hence spring password encoder has support for this in spring security file we use password encoder
<password-encoder hash="sha" base64="true">
Now we are enhancing our encryption more, first we generate SHA-1 Hashed string and then again do
My strong assumption is that since we are doing double encryption i might have to write my own implementing class to first do BCrypt decryption and then do one more decrypt on SHA-1.
Assuming that even if spring has out of box support for Bcrypt but then also we cant plug in double decryption in password encoder.
Please let me know if there is any other better advice.
Thanks for the quick reply
As of now we use spring 2.5 across our company, hence i might need to write my own class
once thing i found out going by Bcrypt doc, looks like there is no way we can decrypt an encrypted string. The only method Bcrpyt provide is
where you can pass the encPass and the rawPass and compare it and the result is true or false.
The reason i am asking this is when we store the password we do SHA hash encryption and then do Bcrypt encryption.
in order to do authentication, i have reverse the pattern decrypt Bcrypt string and then decrypt SHA to get teh actual value.
Looks like i cant use multiple encryption and the only reason we did was for enhanced security and also we had already user password already stored in SHA hash. so we dont want to convert them to plain text and apply Bcrypt encryption.
i hope i was able to explain correctly.
Joined: May 12, 2008
Anyway i dont have to decrypt i can just compare hashes. One more issue i have si the performance problem with this statement
it takes a lot of time.
The larger the strength provided to gensalt the more work will have to be done (exponentially) to hash the passwords. Since you did not specify a number of log rounds it is defaulting to 10. I guess depending on your available resources that might be whats taking a lot of time. Just to test try providing a number of log rounds lower than 10 and see what happens ...