Why the strength of BCryptPasswordEncoder is in between 4 and 31?

7.5k Views Asked by Suraj Gautam At 17 April 2025 at 13:43

According to the docs :

Implementation of PasswordEncoder that uses the BCrypt strong hashing function. Clients can optionally supply a "strength" (a.k.a. log rounds in BCrypt) and a SecureRandom instance. The larger the strength parameter the more work will have to be done (exponentially) to hash the passwords. The default value is 10.

Original Q&A

There are 1 best solutions below

holmis83 On 09 January 2017 at 08:36 BEST ANSWER

The strength is translated to iterations. For strength x there will be 2^x iterations. Implementations are assumed to use unsigned 32-bit integer, where the maximum value is 4294967295. If x is larger than 31, 2^x is bigger than this maximum value and an overflow would occur.

In practice, the Java implementation in Spring Security actually uses a 64-bit long since integers are signed in Java (maximum of int is 2³¹-1).

A strength of 31 or close thereof is very slow and not usable anyway.

Why the strength of BCryptPasswordEncoder is in between 4 and 31?

There are 1 best solutions below

Related Questions in SPRING-SECURITY

Related Questions in BCRYPT

Trending Questions

Popular # Hahtags

Popular Questions