Password security is one of the most critical responsibilities in backend development. Improper password storage is a leading cause of major security breaches.
Spring Security provides a robust framework for:
- hashing passwords
- verifying credentials securely
- supporting multiple encoding algorithms
- upgrading encryption strategies over time
Golden Rule:
Passwords must NEVER be stored in plain text.
If attackers gain database access and passwords are not properly protected:
- all user accounts are compromised
- credential stuffing attacks become possible
- regulatory violations may occur
- brand trust is damaged
Password security is a first line of defense.
Many developers confuse these terms.
| Feature | Encryption | Hashing |
|---|---|---|
| Reversible | Yes | No |
| Key required | Yes | No |
| Suitable for passwords | ❌ No | ✅ Yes |
If encryption keys leak → passwords can be decrypted.
- one-way transformation
- original password cannot be recovered
A PasswordEncoder is responsible for:
- hashing raw passwords during registration
- verifying passwords during login
Spring Security interface:
public interface PasswordEncoder {
String encode(CharSequence rawPassword);
boolean matches(
CharSequence rawPassword,
String encodedPassword
);
}User enters password
↓
Raw password is hashed
↓
Compared with stored hash
↓
Match → authenticated
Passwords are never decrypted.
BCrypt is designed specifically for password hashing.
Key features:
- built-in salting
- adaptive strength
- slow by design
- resistant to brute-force attacks
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}String hash = passwordEncoder.encode("myPassword");Example hash:
$2a$10$7sdf8sdf87sdf...
Even the same password generates different hashes due to salting.
passwordEncoder.matches(rawPassword, storedHash);Internally:
- extracts salt
- hashes raw password
- compares safely
No manual comparison is required.
BCrypt allows configurable strength:
new BCryptPasswordEncoder(12);Default is typically 10.
- slower hashing
- stronger protection
- more CPU usage
Choose based on system performance.
Typical production range:
10 – 14
A random value added to the password before hashing.
Without salt:
password123 → same hash everywhere
With salt:
password123 → different hash per user
This prevents:
- rainbow table attacks
- hash lookup attacks
BCrypt handles salting automatically.
Spring Security supports multiple encoders.
- modern algorithm
- memory-hard
- extremely resistant to GPU attacks
Considered one of the strongest options.
- widely trusted
- NIST recommended
- slower than SHA
Never use:
- MD5
- SHA-1
- plain SHA-256 (without proper salting/iterations)
These are too fast, making brute-force attacks easier.
Spring Security recommends:
PasswordEncoderFactories
.createDelegatingPasswordEncoder();Supports multiple algorithms simultaneously.
Example stored password:
{bcrypt}$2a$10$...
Prefix identifies the encoder.
You can upgrade algorithms without breaking existing users.
Example migration:
Old users → bcrypt
New users → argon2
System handles both seamlessly.
User Login
↓
AuthenticationProvider
↓
UserDetailsService → fetch hashed password
↓
PasswordEncoder.matches()
↓
Authentication success/failure
PasswordEncoder is used inside AuthenticationProvider.
You should NEVER compare passwords manually.
user.setPassword(
passwordEncoder.encode(dto.getPassword())
);Never store raw password.
Even hashed passwords should not be exposed.
Use DTOs carefully.
Disable request-body logging for auth endpoints.
Because hashing is one-way and cannot be reversed.
It is salted, adaptive, and slow — making brute-force attacks difficult.
Yes, due to salting.
Inside AuthenticationProvider during credential verification.
A flexible encoder that supports multiple hashing algorithms.
-
Never store plain-text passwords
-
Always hash using strong algorithms
-
BCrypt is the industry standard
-
Argon2 is a strong modern alternative
-
PasswordEncoder handles hashing and verification
-
DelegatingPasswordEncoder supports algorithm upgrades
-
Password security is foundational to backend safety