SpringbootHow-ToBeginner · 4 min read

How to Use BCryptPasswordEncoder in Spring Boot Securely

In Spring Boot, use BCryptPasswordEncoder to hash passwords securely by creating its instance and calling encode() on the raw password. To verify passwords, use matches() method comparing raw and encoded passwords.

📐

Syntax

The BCryptPasswordEncoder class provides two main methods: encode(String rawPassword) to hash a password, and matches(String rawPassword, String encodedPassword) to check if a raw password matches the hashed one.

You typically create an instance of BCryptPasswordEncoder and use it to encode passwords before saving them, and to verify passwords during login.

java

BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
String hashed = encoder.encode(rawPassword);
boolean isMatch = encoder.matches(rawPassword, hashed);

💻

Example

This example shows a simple Spring Boot application that encodes a password and verifies it using BCryptPasswordEncoder.

java

import org.springframework.boot.CommandLineRunner;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;

@SpringBootApplication
public class BCryptExampleApplication implements CommandLineRunner {

    public static void main(String[] args) {
        SpringApplication.run(BCryptExampleApplication.class, args);
    }

    @Override
    public void run(String... args) {
        BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
        String rawPassword = "mySecret123";
        String encodedPassword = encoder.encode(rawPassword);

        System.out.println("Encoded password: " + encodedPassword);

        boolean matches = encoder.matches(rawPassword, encodedPassword);
        System.out.println("Password matches: " + matches);
    }
}

Output

Encoded password: $2a$10$... (hashed string) Password matches: true

⚠️

Common Pitfalls

Do not store raw passwords; always store the encoded hash.
Do not encode the password multiple times before saving; encode only once.
Use matches() to verify passwords instead of comparing encoded strings directly, because each encoding generates a different hash.
Avoid creating multiple BCryptPasswordEncoder instances unnecessarily; reuse a single instance if possible.

java

/* Wrong: Comparing encoded passwords directly (will fail) */
BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
String hash1 = encoder.encode("password");
String hash2 = encoder.encode("password");
boolean wrongCheck = hash1.equals(hash2); // false

/* Right: Use matches() method */
boolean correctCheck = encoder.matches("password", hash1); // true

📊

Quick Reference

Remember these key points when using BCryptPasswordEncoder in Spring Boot:

Create one instance of BCryptPasswordEncoder to encode and verify passwords.
Use encode() to hash raw passwords before saving.
Use matches() to verify raw passwords against stored hashes.
Never store or log raw passwords.
Each encoded password is unique even for the same input, so direct string comparison of hashes is invalid.

✅

Key Takeaways

Use BCryptPasswordEncoder's encode() to hash passwords before saving.

Verify passwords with matches(), not by comparing encoded strings directly.

Never store or log raw passwords to keep user data safe.

Reuse a single BCryptPasswordEncoder instance for efficiency.

Each encoded password is unique even for the same input due to salting.