How do I implement a pepper in Spring MVC

Question

I was trying to make my Application secure, when I tought to myself that I should implement peppers, so that the password is secure. I haven't really found any solutions using the spring-security framework, so I wanted to ask if it's even possible.

Answer 1

According to Spring Security > Features > Authentication > Password Storage , Spring Security provides a number of built-in ways to encode passwords in a password store. Indeed, you can implement your own encoding scheme.

Looking at the existing StandardPasswordEncoder javadoc we see that is described as combining the password, a salt and a secret in the input to a crypto hash function (SHA-256). The secret can be "system wide" or specific to the encoder. You could either use this class directly, or clone and modify it.

HOWEVER

The StandardPasswordEncoder class has been deprecated by Spring. According to them, the approach of hashing a salted password is insecure, even when you add a secret; e.g. a "pepper".

According to them, a more secure approach is to use a very computationally expensive (i.e. slow) function to do the hashing. They provide a number of encoders that work this way; e.g. BCryptPasswordEncoder, Argon2PasswordEncoder, Pbkdf2PasswordEncoder and SCryptPasswordEncoder.

So my advice would be:

1. Do not use StandardPasswordEncoder. It is deprecated.

2. Do not to try roll your own Spring password encoding scheme based on salts and peppers. In addition to the systemic weakness of such schemes (which is why StandardPasswordEncoder is deprecated), you risk injecting extra weaknesses due to flaws in your own implementation; e.g. the handling of the "pepper" secret(s).

3. Do use one of the alternatives (see above) that the Spring engineers have developed, tested and support.