Password security is a popular topic. The most basic tenant of password security is to have no password at all. Wait, what? That’s right, no password should be stored in your database, ever. Instead, store it as a hash, along with the salt, and throw the original password away. Ask 10 different developers, and I’ll bet that MD5 would be offered as the most popular solution for this problem. Though, if you’ve explored the linked content, you’ll have undoubtedly noticed that Bcrypt is mentioned more than a few times.
“Bcrypt is a cross platform file encryption utility. Encrypted files are portable across all supported operating systems and processors. Passphrases must be between 8 and 56 characters and are hashed internally to a 448 bit key. However, all characters supplied are significant. The stronger your passphrase, the more secure your data.”
For us Java developers, there’s jBCrypt. It is an “implementation of OpenBSD’s Blowfish password hashing code” and offers a rather simple API. A quick web search yields a bit of information on using jBCrypt itself, but nothing on integrating it with the Spring Framework. Given that this is a topic of interest to me, I’ve put together a simple, yet comprehensive example web application to demonstrate an integration of jBCrypt, Spring MVC, Spring Security and Hibernate for hashing user passwords. There are three areas I’ve focused on in this example, user creation, user authentication and changing the user’s password. Read More
Carl Sziebert is a loving husband, devoted father, and accomplished software engineer, living and working in the San Francisco Bay Area. He is no stranger to code, having spent the better part of a decade developing software for a diverse range of organizations, including small startups, large corporations, and government agencies. Having built a solid foundation of skills from these experiences, Carl now works as an engineer at 
