Spring Security Make salt length configurable in Pbkdf2PasswordEncoder

Summary

The Pbkdf2PasswordEncoder class always generates an 8-byte salt. NIST Special Publication 800-132 section 5.1 calls for at least a 16-byte salt. Having a constructor parameter to either replace the BytesKeyGenerator or choose the key length of the generated BytesKeyGenerator would be very helpful.

Version

Spring 4.1 and above

Sample

String secret = "secret"
int iterations = 200000;
int hashWidth = 256;
int saltLength = 16;
new Pbkdf2PasswordEncoder(secret, iterations, hashWidth, saltLength);
new Pbkdf2PasswordEncoder(secret, saltLength);

Comment From: dyroberts

Yes, this would be great. OWASP recommends a 32byte salt. https://www.owasp.org/index.php/Hashing_Java

Comment From: rwinch

Closed in favor of gh-9147