Spring Security - Password Encryption - Bcrypt Overview

Chad Darby
A free video tutorial from Chad Darby
Popular Java Spring Instructor - Best Seller
4.6 instructor rating • 8 courses • 398,749 students

Learn more from the full course

Spring & Hibernate for Beginners (includes Spring Boot)

Spring 5: Learn Spring 5 Core, AOP, Spring MVC, Spring Security, Spring REST, Spring Boot 2, Thymeleaf, JPA & Hibernate

40:47:36 of on-demand video • Updated November 2020

  • Develop a REAL-TIME project with Spring MVC, Spring REST, Spring Boot and Hibernate CRUD ... all from SCRATCH
  • You will TYPE IN EVERY LINE of code with me in the videos. I EXPLAIN every line of code to help you learn!
  • LEARN key Spring 5 features: Core, Annotations, Java Config, AOP, Spring MVC, Hibernate and Maven
  • I am a RESPONSIVE INSTRUCTOR ... post your questions and I will RESPOND in 24 hours.
  • POPULAR VIDEOS for: Spring Boot 2, Spring Security, Spring REST, Spring Data JPA, Spring Data REST and Thymeleaf
  • Join an ACTIVE COMMUNITY of 175,000+ students that are already enrolled! Over 44,000+ Reviews - 5 STARS
  • Students have LANDED NEW JOBS with the skills from this course. Spring and Hibernate developers are in HIGH-DEMAND!
  • You can DOWNLOAD all videos, source code and PDFs. Perfect for offline LEARNING and REVIEW.
English In this video we're going to use Spring Security with password encryption. So far, our user passwords are stored in plain text. Yikes! So this okay for getting started, but it's not for production, not ready for real-time projects. So the best practice is to store the password in an encrypted format. So here's the users: John, Mary, and Susan, and their passwords. And notice it's an encrypted version of the password. So if our databases were hacked, the hackers wouldn't be able to figure out these passwords, wouldn't be able to figure out the plain text version of these passwords because they are encrypted. The Spring Security team recommends using the popular bcrypt algorithm. The bcrypt algorithm performs a one-way encrypted hash that adds a random salt to the password for additional protection. And it also includes support to defeat brute force attacks. So this is the current recommendation from the Spring team, and it's a popular one-way password hashing algorithm that's used by other projects. Now if you'd like to get more background information or additional information on bcrypt, I have some links here for you. So if you'd like to know why you should use bcrypt to hash passwords, go to the site luv2code.com/why-bcrypt. If you'd also like to get a detailed bcrypt algorithm analysis simply go to luv2code.com/bcrypt-wiki-page. And finally if you'd like to learn more best practices on password hashing, simply go to luv2code.com/password-hashing-best-practices. Now these links will basically redirect you to other websites that provide all the detailed information for you, and also don't worry about having to write down each one of these links. In the following lecture, I'll have a text-based lecture where I simply provide the links, and you can simply click on them with your browser. So now you may wonder how to get a bcrypt password. So you have a plain text password, and you want to encrypt it using bcrypt. So you have one option is to use a website utility to perform the encryption. Another option is to write Java code to perform the encryption. So I'll actually cover option one in this video, and then for option two we'll have information on that in some of the later videos later in the course. All righty so, getting a bcrypt password using a website. So you can simply go to luv2code.com/generate-bcrypt-password. It's going to redirect you to a website utility. You will enter your plain text password, and then that website's going to generate a bcrypt password for you. All right so let's go ahead and look at a quick demo of this. Move to your web browser and go ahead and access this website here: luv2code.com/generate-bcrypt-password. As I mentioned it's going to redirect you to this website, And basically the way it works here is that you have some text fields, so you'll enter your plain text password, and you hit calculate, and it'll generate the encrypted password for you. So for the plain text password I'm going to enter test123, and then I'll move down here and hit the calculate button, and then boom, right here at the bottom, that's the generated password. So this is an encrypted version of that plain text test123. That's an encrypted version using bcrypt. Now one important thing to note is that multiple runs will generate a different password due to the random password salting. You can start with the same plain text password test123, but if you hit calculate multiple times, you'll actually get a different generated password, and that's again due to random password salting. Effectively salting is random bits of data that will be added to the password to make it unique. And you can find more details on password salting using those links I provided earlier in this video. So taking a look at this example here, we have a generated password. So let's just kind of keep an eye on the last couple of digits here. Let's go ahead and hit calculate one more time for this test 123. And then notice here that it changes. Basically the whole thing changed, but I wanted you to at least kind of focus on the last couple of characters, so you can get an idea of things that are being changed. So that's the idea of generating or calculating a bcrypt password. And what we can do with this is that we can use these encrypted passwords and add them to our user accounts in our database. And effectively we can seed our user accounts with encrypted passwords out of the box.