Spring Security: Password Encoder

This blog post will teach Spring Security's Password Encoder interface and its implementations.

The Importance of Password Encoding 

Password encoding (often referred to as hashing) is a security measure that transforms a plain text password into a unique string of characters. The primary goal is to ensure that stored passwords are not easily deciphered if the data store is compromised. Unlike encryption, hashing is a one-way process - meaning the original password cannot be retrieved from the hashed value, adding a layer of security against unauthorized access.

Spring Security - PasswordEncoder

Spring Security provides a PasswordEncoder interface for encoding plain passwords based on algorithms. Spring Security provides several implementations for the PasswordEncoder interface based on the algorithms (bcrypt, scrypt, PBKDF2, argon2, and others) 
  • BCryptPasswordEncoder - bcrypt 
  • Pbkdf2PasswordEncoder - PBKDF2 
  • SCryptPasswordEncoder - script 
  • Argon2PasswordEncoder - argon2

BCryptPasswordEncoder Implementation

  • The BCryptPasswordEncoder implementation uses the widely supported bcrypt algorithm to hash the passwords. 
  • BCryptPasswordEncoder has the parameter strength. The default value in Spring Security is 10. Using a SecureRandom as a salt generator is recommended because it provides a cryptographically strong random number.

Argon2PasswordEncoder Implementation

  • The Argon2PasswordEncoder implementation uses the Argon2 algorithm to hash the passwords. 
  • To defeat password cracking on custom hardware, Argon2 is a deliberately slow algorithm that requires large amounts of memory. 
  • The current implementation of the Argon2PasswordEncoder requires BouncyCastle.

Pbkdf2PasswordEncoder Implementation

  • The Pbkdf2PasswordEncoder implementation uses the PBKDF2 algorithm to hash the passwords.
  • To defeat password cracking, PBKDF2 is a deliberately slow algorithm. 
  • This algorithm is a good choice when FIPS certification is required.

SCryptPasswordEncoder Implementation

  • The SCryptPasswordEncoder implementation uses the scrypt algorithm to hash the passwords. 
  • To defeat password cracking on custom hardware, scrypt is a deliberately slow algorithm that requires large amounts of memory.

Which is the most commonly used PasswordEncoder Implementation ?

The BCryptPasswordEncoder implementation is commonly used to hash the passwords using bcrypt algorithm.

Implementing Password Encoder in Spring Security 

Incorporating a PasswordEncoder into your Spring Security setup is straightforward. Here's how you can configure the BCryptPasswordEncoder class implementation of the PasswordEncoder interface:
public class SpringSecurityConfig {

    public static PasswordEncoder passwordEncoder(){
        return new BCryptPasswordEncoder();

    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {

                .authorizeHttpRequests((authorize) -> {
        return http.build();

    public UserDetailsService userDetailsService(){

        UserDetails ramesh = User.builder()

        UserDetails admin = User.builder()

        return new InMemoryUserDetailsManager(ramesh, admin);
In this example, we define a PasswordEncoder bean using the BCryptPasswordEncoder. When configuring the in-memory authentication, passwords are encoded using this encoder, enhancing the security of stored credentials. 

Best Practices for Using Password Encoder 

Choose the Right Encoder: Select an encoder that provides adequate security while considering the performance impact on your application. 

Secure Password Storage: Store only the encoded password in your database. Never store plain-text passwords. 

Regularly Update Security Measures: Stay updated with the latest security practices and update your password encoding strategies accordingly. 


Employing a PasswordEncoder in your Spring Security configuration is fundamental to securing users' credentials. By understanding the importance of password encoding and leveraging Spring Security's support for various encoding mechanisms, developers can significantly enhance the security of their applications. Remember, in security, the strength of your defences is often measured by the robustness of your weakest link. Ensuring that passwords are securely encoded and stored not only protects your users but also fortifies your application against potential threats.