How to add arguments to constructor of BCryptPasswordEncoder to make it stronger?

Question

I have bCryptPasswordEncoder implemented on my spirngsecurity, at present I am using its simple constructor without any argument, how can I make it stronger?

Following this question, I tried to use random and 512 as its strength but it does not find the declared namespace.

 <beans:beans xmlns='http://www.springframework.org/schema/security' 
                 xmlns:beans='http://www.springframework.org/schema/beans' 
                 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' 
                 xsi:schemaLocation='http://www.springframework.org/schema/beans 
        http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
        http://www.springframework.org/schema/security
        http://www.springframework.org/schema/security/spring-security-3.1.xsd'
    xmlns:c='http://www.springframework.org/schema/c'>

    .....
    </authentication-manager> 
    <beans:bean id='bCryptPasswordEncoder' class='org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder' c:strength="512" c:random="20"/>
    </beans:bean>

My code

    SecureRandom random = new SecureRandom();
    byte bytes[] = new byte[20];
    random.nextBytes(bytes);
    PasswordEncoder passwordEncoder = new BCryptPasswordEncoder(512, random);
    String digest = passwordEncoder.encode(rawPassword);
    System.our.println(digest);

Error is as following

    Error: File not found in the specified address : http://www.springframework.org/schema/c

pom.xml

<dependency>
            <groupId>org.springframework</groupId>
            <artifactId>spring-webmvc</artifactId>
            <version>3.1.1.RELEASE</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-web</artifactId>
            <version>3.1.1.RELEASE</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-core</artifactId>
            <version>3.1.4.RELEASE</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-taglibs</artifactId>
            <version>3.1.1.RELEASE</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-config</artifactId>
            <version>3.1.1.RELEASE</version>
        </dependency>

Answer 1

You are missing the schemaLocation declaration for the 'c' schema. Just remove it and use a plain bean declaration:

<beans:bean id='bCryptPasswordEncoder' class='org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder'>
    <beans:constructor-arg value="12" />
</beans:bean>

You should probably read up on BCrypt before trying to configure it to "make it stronger", and also be able to explain why the default isn't strong enough for your requirements. The strength parameter is logarithmic, and defaults to 10. Each time you increment it you double the amount of work needed, and the time your app will take to check a password. So a value of 512 doesn't make any sense. If you supply a value greater than 31 you will get an error.

Also, I don't know why you are string to set the random instance to 20 in your XML configuration. That argument has to be a SecureRandom instance, so you should probably remove that.

Answer 2

The BCryptPasswordEncoder API documentation is a bit lacking on the input parameters.

Regarding "strength" it mentions that this is "the log rounds to use" and defaults to 10. The source adds that this number is "the log2 of the number of rounds of hashing to apply - the work factor therefore increases as 2**log_rounds".

Regarding the "SecureRandom" parameter the source only says "an instance of SecureRandom to use" and it can be seen that if one isn't supplied Spring Security instantiates one of it's own with "new SecureRandom()". It then does "byte rnd[] = new byte[BCRYPT_SALT_LEN];" where BCRYPT_SALT_LEN is 16 and feeds rnd to random with "random.nextBytes(rnd);". SecureRandom is a CSPRNG (Cryptographically Secure Pseudo-Random Number Generator) and the only thing you can change about it is the seed value. The biggest factor in seeding is uniqueness.

As an actual answer to the question, aside from the missing schemaLocation, to strengthen the encoding you would increase the "strength" to a higher number, 31 being the max, but for the most part the default of 10 should suit most users needs. You could also provide your own instance of SecureRandom but I doubt there is any advantage over allowing Spring to handle that for you.