Encoded password does not look like bcrypt
Asked on October 25, 2018
I am creating Spring application using Spring security. I am creating Spring MVC Security Custom Login and Logout with MySQL Database using Hibernate. I have inserted user data in database including username and password using bcrypt encoding. When I login, I am getting error as
"encoded password does not look like bcrypt"
Any solution?
Replied on October 25, 2018
It is possible that database password column length is not as long as needed for bcrypt password and while inserting bcrypt password in database, it is truncated and hence wrong bcrypt encryption. This is a frequent mistake we do.
Solution is that we should increase password column length and insert bcrypt password again.
Suppose we are inserting bcrypt password as
$2a$10$N0eqNiuikWCy9ETQ1rdau.XEELcyEO7kukkfoiNISk/9F7gw6eB0W
with length 60. Suppose our password column length is
`password` varchar(50) NOT NULL,
So while inserting password value, it will be truncated and the value will be
$2a$10$N0eqNiuikWCy9ETQ1rdau.XEELcyEO7kukkfoiNISk/
which is an invalid bcrypt password. So we should keep password length
`password` varchar(100) NOT NULL,
and insert bcrypt password again.
I hope this will solve your problem.
Replied on October 25, 2018
Other possibilities:
1. Recheck that user input password is being encoded in bcrypt in spring configuration file.
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
auth.userDetailsService(myAppUserDetailsService).passwordEncoder(passwordEncoder);
}
2.
Recheck your application is reading password value from database in UserDetails and not null. So that it can be matched with user input password.
@Override
public UserDetails loadUserByUsername(String userName)
throws UsernameNotFoundException {
UserInfo activeUserInfo = userInfoDAO.getActiveUser(userName);
GrantedAuthority authority = new SimpleGrantedAuthority(activeUserInfo.getRole());
UserDetails userDetails = (UserDetails)new User(activeUserInfo.getUserName(),
activeUserInfo.getPassword(), Arrays.asList(authority));
return userDetails;
}
3. Recheck that password in database is bcrypt encoded.
