Often password hashes are identical given the same input (and very occasionally with different inputs). But bcrypt and others generate a different hash each time. This isn't a problem however, because the PasswordEncoder
interface has both the String encodePassword(String rawPass, Object salt)
method to generate hashes, but also the boolean isPasswordValid(String encPass, String rawPass, Object salt)
method to validate them.
With simpler hashes like MD5, SHA-1, etc. the process for verification is simply re-encoding the cleartext password and checking that it's the same as the stored hashed value. The process is a lot more complicated with bcrypt, but the end result is the same - it doesn't check for equality, but instead that they're equivalent. So if you hash the same password twice and compare them with isPasswordValid
it will return true
.