Learn how to implement password encryption with BCryptPasswordEncoder in Spring Security. This post covers why BCrypt is secure and how to use it for hashing passwords with real-world examples.
๐ Why Use Password Encryption?
Storing plain-text passwords is a critical security risk. If your database is compromised, all user credentials are instantly exposed. That’s where password encryption comes in โ and BCryptPasswordEncoder is one of the most secure options available in Spring Security.
๐ What is BCryptPasswordEncoder?
BCryptPasswordEncoder is a Spring Security class that implements the BCrypt hashing algorithm. It:
- Adds a random salt to each password
- Is adaptive, meaning you can increase its workload as hardware improves
- Prevents rainbow table and brute force attacks
Using Password Encryption with BCryptPasswordEncoder helps ensure your user credentials remain secure, even if attackers access your database.
๐ฆ Maven Dependencies
Add the following dependencies in your pom.xml:
|
1 2 3 4 5 6 7 |
<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> |
๐ Project Structure
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
com.kscodes.security.encryption โโโ config/ โ โโโ SecurityConfig.java โโโ controller/ โ โโโ UserController.java โโโ model/ โ โโโ UserDto.java โโโ service/ โ โโโ UserService.java โโโ PasswordEncryptionApplication.java |
๐งช Create a DTO for User Registration
UserDto.java
|
1 2 3 4 5 6 7 8 9 10 11 |
package com.kscodes.security.encryption.model; public class UserDto { private String username; private String password; // Getters and setters } |
๐ง Create a Password Encoder Bean
SecurityConfig.java
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
package com.kscodes.security.encryption.config; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; @Configuration public class SecurityConfig { @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); // Default strength = 10 } } |
๐ก Password Encryption with BCryptPasswordEncoder (in action)
UserService.java
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
package com.kscodes.security.encryption.service; import com.kscodes.security.encryption.model.UserDto; import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.stereotype.Service; @Service public class UserService { private final PasswordEncoder passwordEncoder; public UserService(PasswordEncoder passwordEncoder) { this.passwordEncoder = passwordEncoder; } public String register(UserDto userDto) { String encryptedPassword = passwordEncoder.encode(userDto.getPassword()); // Simulate saving encrypted password to DB System.out.println("Encrypted password for user " + userDto.getUsername() + ": " + encryptedPassword); return encryptedPassword; } public boolean verifyPassword(String rawPassword, String hashedPassword) { return passwordEncoder.matches(rawPassword, hashedPassword); } } |
๐ Expose Controller Endpoint
UserController.java
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
package com.kscodes.security.encryption.controller; import com.kscodes.security.encryption.model.UserDto; import com.kscodes.security.encryption.service.UserService; import org.springframework.web.bind.annotation.*; @RestController @RequestMapping("/api/users") public class UserController { private final UserService userService; public UserController(UserService userService) { this.userService = userService; } @PostMapping("/register") public String register(@RequestBody UserDto userDto) { return userService.register(userDto); } @GetMapping("/verify") public String verify(@RequestParam String raw, @RequestParam String encrypted) { boolean match = userService.verifyPassword(raw, encrypted); return match ? "Passwords match!" : "Invalid password!"; } } |
๐งช Test the Flow
1. Register a user
|
1 2 3 4 5 6 |
curl -X POST http://localhost:8080/api/users/register \ -H "Content-Type: application/json" \ -d '{"username":"ketan", "password":"mysecret"}' |
๐ข You will get a hashed password like:
|
1 2 3 4 |
$2a$10$w1XvfpD9XK1nsmJPmQCe1uvsPwOxfRPfA1jhCFcCD3uyI6V1c5F.O |
Verify a password
|
1 2 3 4 |
curl "http://localhost:8080/api/users/verify?raw=mysecret&encrypted=<paste_encoded_string>" |
โ
Output: Passwords match!
โ ๏ธ Best Practices for Password Encryption with BCryptPasswordEncoder
- Never store raw passwords, not even temporarily.
- Always store the encrypted hash returned by
encode(). - Use
matches()to verify login attempts. - Optionally increase strength (e.g.,
new BCryptPasswordEncoder(12)) for more security (at the cost of CPU usage). - Regenerate passwords if your security policies change.
๐ง Summary
Using Password Encryption with BCryptPasswordEncoder in Spring Security helps protect your application from one of the most critical vulnerabilities โ password leaks. It’s a standard tool used by professionals to hash, store, and verify user passwords securely.