Summary

Need byte[] parameter type for Bcrypt.checkpw method. Currently, this method is only accepting string as the parameter type.

Generally storing the password in string data type is not recommended. As the string is immutable, it is not flushed as long as the data is garbage collected.

So it opens up the vulnerability. Anyone with access to the memory dump will able to get the raw password.

Similiar Fix has been done for the Bcrypt.hashpw method in the past

Comment From: iamnk

And nothing to do with the above request. I think the output hash size of Bcrypt is 40bytes in general spec. But I am not sure about it.

So Just want to know the specifications of Bcrypt implemented by spring security.

What's the size of the output hash? What is the maximum password size? What is the maximum salt size

@eleftherias @rafahop Please assist me in this. Thanks in Advance!

Comment From: iamnk

Hye @eleftherias, may you also please help me in finding the answer to the above question.

Comment From: eleftherias

@iamnk Can you please clarify your request?

You mention that we should add

byte[] parameter type for Bcrypt.checkpw

However, this is what was added in the commit dd2b7caee0a249ed6c56dbc1a99d955e4ee8d1ce that you referenced.

At the moment, you can access this method is version 5.3.0.RC1. If you are using an older version, then you will not have access to checkpw that takes in a byte[] because it was only added in the most recent release.

Comment From: iamnk

Sorry, I am using 5.2.0 articraft, as I can't find the jar for 5.3.0 ?

And also, I have checked that Bcrypt.hashpw output is mostly 60 characters long. I just want to ensure it? What is the column length you would prefer to store the output in MySQL?

Comment From: eleftherias

@iamnk 5.3.0.RELEASE is now available in Maven Central.

The maximum password size for BCrypt is 72 bytes. You can read more about BCrypt password size in this Stack Exchange question.

The return value of hashpw will be 59 or 60 bytes. This is because the BCrypt hash is in modular crypt format. You can read more about this format and how to interpret the hash value here.