Bird
Raised Fist0
Spring Bootframework~10 mins

Password encoding with BCrypt in Spring Boot - Step-by-Step Execution

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Concept Flow - Password encoding with BCrypt
User inputs password
BCryptPasswordEncoder encodes password
Encoded password stored securely
User login attempt
BCryptPasswordEncoder matches raw and encoded
If match: allow access, else deny
The flow shows how a password is encoded with BCrypt before storage and later matched during login.
Execution Sample
Spring Boot
BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
String rawPassword = "mySecret123";
String encodedPassword = encoder.encode(rawPassword);
boolean matches = encoder.matches("mySecret123", encodedPassword);
This code encodes a raw password and then checks if a raw password matches the encoded one.
Execution Table
StepActionInputOutputNotes
1Create encoderNoneBCryptPasswordEncoder instanceReady to encode passwords
2Encode password"mySecret123"Encoded string (hash)Password hashed with salt
3Match passwordRaw: "mySecret123", Encoded: hashtrueRaw matches encoded hash
4Match passwordRaw: "wrongPass", Encoded: hashfalseRaw does not match encoded hash
💡 Password matching returns false when raw password does not match encoded hash
Variable Tracker
VariableStartAfter EncodingAfter Match TrueAfter Match False
rawPassword"mySecret123""mySecret123""mySecret123""wrongPass"
encodedPasswordnull"$2a$10$...""$2a$10$...""$2a$10$..."
matchesnullnulltruefalse
Key Moments - 3 Insights
Why does the encoded password look like a random string?
BCrypt adds a random salt and hashes the password, so the output is a secure, unique string as shown in step 2 of the execution_table.
Can the encoded password be reversed to get the original password?
No, BCrypt is a one-way hash. You can only check if a raw password matches the encoded hash using the matches method, as shown in steps 3 and 4.
Why does matching fail if the raw password is different?
Because the hash generated from a different raw password won't match the stored encoded hash, as seen in step 4 of the execution_table.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, what is the output when encoding the password "mySecret123"?
AA random-looking encoded string
BThe same password repeated
CA readable plain text password
DAn error message
💡 Hint
Check step 2 in the execution_table for the output of encoding.
At which step does the password matching return false?
AStep 3
BStep 2
CStep 4
DStep 1
💡 Hint
Look at the matches column in the execution_table.
If the raw password changes to "newPass", what will happen to the matches variable?
AIt will be true
BIt will be false
CIt will be null
DIt will throw an exception
💡 Hint
Refer to the variable_tracker and step 4 in execution_table where a wrong password results in false.
Concept Snapshot
Use BCryptPasswordEncoder to hash passwords securely.
Encode raw password before storing.
Use matches() to verify raw password against stored hash.
Hashes include random salt, so output looks random.
Never store raw passwords directly.
Full Transcript
This visual execution shows how Spring Boot's BCryptPasswordEncoder works. First, an encoder instance is created. Then, a raw password like "mySecret123" is encoded into a hashed string with salt. This encoded password is stored securely. Later, when a user tries to log in, the raw password they enter is checked against the stored encoded password using the matches method. If they match, access is granted; if not, access is denied. The encoded password looks like a random string because BCrypt adds salt and hashes it. This process is one-way, so you cannot get the original password back from the encoded string. Matching only returns true if the raw password is exactly correct.

Practice

(1/5)
1. What is the main purpose of using BCryptPasswordEncoder in Spring Boot?
easy
A. To validate email addresses
B. To decode passwords back to plain text
C. To generate random passwords for users
D. To securely encode passwords before storing them

Solution

  1. Step 1: Understand BCryptPasswordEncoder role

    BCryptPasswordEncoder is used to convert plain passwords into a secure encoded form.

  2. Step 2: Identify correct purpose

    It does not decode or generate passwords, only encodes them securely.

  3. Final Answer:

    To securely encode passwords before storing them -> Option D

  4. Quick Check:

    Password encoding = Secure storage [OK]
Hint: BCrypt encodes, never decodes passwords [OK]
Common Mistakes:
  • Thinking BCrypt can decode passwords
  • Confusing encoding with password generation
  • Using it for unrelated tasks like email validation
2. Which of the following is the correct way to create a BCryptPasswordEncoder instance in Spring Boot?
easy
A. BCryptPasswordEncoder encoder = BCryptPasswordEncoder();
B. BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
C. BCryptPasswordEncoder encoder = new BCryptPasswordEncoder.encode();
D. BCryptPasswordEncoder encoder = encode(new BCryptPasswordEncoder());

Solution

  1. Step 1: Recall Java object creation syntax

    In Java, to create an object, use the new keyword followed by the constructor.

  2. Step 2: Match correct syntax

    BCryptPasswordEncoder encoder = new BCryptPasswordEncoder(); correctly uses new BCryptPasswordEncoder(); to create an instance.

  3. Final Answer:

    BCryptPasswordEncoder encoder = new BCryptPasswordEncoder(); -> Option B

  4. Quick Check:

    Object creation = new + constructor [OK]
Hint: Use 'new' keyword to create objects in Java [OK]
Common Mistakes:
  • Omitting 'new' keyword when creating objects
  • Calling methods instead of constructors
  • Incorrect method chaining in object creation
3. Given the following code snippet, what will be the output of matches method?
BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
String rawPassword = "mypassword";
String encodedPassword = encoder.encode(rawPassword);
boolean result = encoder.matches("mypassword", encodedPassword);
System.out.println(result);
medium
A. true
B. false
C. Compilation error
D. Runtime exception

Solution

  1. Step 1: Understand encode and matches methods

    The encode method creates a hashed password. The matches method checks if the raw password matches the encoded hash.

  2. Step 2: Analyze the code flow

    The raw password "mypassword" is encoded, then matches compares the same raw password with the encoded one, so it returns true.

  3. Final Answer:

    true -> Option A

  4. Quick Check:

    matches(raw, encoded) = true if same password [OK]
Hint: matches() returns true if raw matches encoded password [OK]
Common Mistakes:
  • Assuming encode returns plain text
  • Thinking matches compares encoded strings directly
  • Expecting false because encoded password looks different
4. Identify the error in the following Spring Boot code snippet for password encoding:
BCryptPasswordEncoder encoder;
String encoded = encoder.encode("secret");
medium
A. String type cannot hold encoded password
B. encode method does not exist in BCryptPasswordEncoder
C. encoder is not initialized before use
D. Missing import statement for BCryptPasswordEncoder

Solution

  1. Step 1: Check variable initialization

    The variable encoder is declared but not assigned an instance before calling encode.

  2. Step 2: Understand consequences

    Using an uninitialized object causes a NullPointerException at runtime.

  3. Final Answer:

    encoder is not initialized before use -> Option C

  4. Quick Check:

    Uninitialized objects cause runtime errors [OK]
Hint: Always initialize objects before calling methods [OK]
Common Mistakes:
  • Forgetting to create new instance with 'new'
  • Assuming declaration equals initialization
  • Ignoring runtime NullPointerException
5. You want to store user passwords securely in your Spring Boot application. Which approach correctly uses BCryptPasswordEncoder to encode and verify passwords during login?
hard
A. Encode password on registration, store encoded; on login, use matches(rawPassword, storedEncodedPassword)
B. Store plain password; on login, encode input and compare with stored plain password
C. Encode password on registration, store encoded; on login, encode input and compare encoded strings directly
D. Encode password on registration, store encoded; on login, decode stored password and compare with input

Solution

  1. Step 1: Understand secure password storage

    Passwords must be encoded before storing; plain text storage is insecure.

  2. Step 2: Verify password correctly on login

    Use matches(rawPassword, storedEncodedPassword) to check if input matches stored hash without decoding.

  3. Final Answer:

    Encode password on registration, store encoded; on login, use matches(rawPassword, storedEncodedPassword) -> Option A

  4. Quick Check:

    Use matches() to verify passwords securely [OK]
Hint: Use matches() to check raw vs encoded passwords [OK]
Common Mistakes:
  • Comparing encoded strings directly (they differ each time)
  • Storing plain text passwords
  • Trying to decode encoded passwords (not possible)