Package com.oorian.security

Class BcryptHasher

java.lang.Object

com.oorian.security.BcryptHasher

All Implemented Interfaces:

PasswordHasher

public class BcryptHasher
extends Object
implements PasswordHasher

Bcrypt implementation of PasswordHasher.

This is the recommended password hashing implementation. It uses the bcrypt algorithm with a configurable cost parameter that controls the computational expense of hashing. Higher cost values increase resistance to brute-force attacks but take longer to compute.

The default cost is 12, which provides a good balance between security and performance. Each increment doubles the computation time.

Usage:

 // Default cost (12)
 PasswordHasher hasher = new BcryptHasher();

 // Custom cost
 PasswordHasher hasher = new BcryptHasher(14);

 String hash = hasher.hash("myPassword123");
 boolean valid = hasher.verify("myPassword123", hash);
 

Cost parameter guidelines:

• 10 — Fast, suitable for development/testing
• 12 — Default, good balance for most applications
• 14 — Higher security for sensitive applications
• 16+ — Very slow, only for extremely sensitive data

Since:

2.1

Version:

1.0

Author:

Marvin P. Warble Jr.

See Also:

• PasswordHasher
• Pbkdf2Hasher

Field Summary

Fields

Modifier and Type	Field	Description
static final int	DEFAULT_COST	Default bcrypt cost parameter.
static final int	MAX_COST	Maximum allowed cost parameter.
static final int	MIN_COST	Minimum allowed cost parameter.

Constructor Summary

Constructors

Constructor	Description
BcryptHasher()	Creates a BcryptHasher with the default cost of 12.
BcryptHasher(int cost)	Creates a BcryptHasher with the specified cost parameter.

Method Summary

Modifier and Type	Method	Description
int	getCost()	Returns the cost parameter used by this hasher.
String	hash(String password)	Hashes a plaintext password.
boolean	verify(String password, String hash)	Verifies a plaintext password against a previously hashed value.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

DEFAULT_COST

public static final int DEFAULT_COST

Default bcrypt cost parameter.

See Also:

• Constant Field Values

MIN_COST

public static final int MIN_COST

Minimum allowed cost parameter.

See Also:

• Constant Field Values

MAX_COST

public static final int MAX_COST

Maximum allowed cost parameter.

See Also:

• Constant Field Values

Constructor Details

BcryptHasher

public BcryptHasher()

Creates a BcryptHasher with the default cost of 12.

BcryptHasher

public BcryptHasher(int cost)

Creates a BcryptHasher with the specified cost parameter.

Parameters:

cost - the cost parameter (4–31); each increment doubles computation time

Throws:

IllegalArgumentException - if cost is outside the valid range

Method Details

hash

public String hash(String password)

Hashes a plaintext password.

Implementations must generate a cryptographically random salt and include it in the returned hash string so that PasswordHasher.verify(String, String) can extract it for comparison.

Specified by:

hash in interface PasswordHasher

Parameters:

password - the plaintext password to hash

Returns:

the hashed password string (includes salt and algorithm parameters)

verify

public boolean verify(String password,
 String hash)

Verifies a plaintext password against a previously hashed value.

Implementations must use constant-time comparison to prevent timing attacks.

Uses constant-time comparison via MessageDigest.isEqual(byte[], byte[]) to prevent timing attacks.

Specified by:

verify in interface PasswordHasher

Parameters:

password - the plaintext password to verify

hash - the previously hashed password to compare against

Returns:

true if the password matches the hash, false otherwise

getCost

public int getCost()

Returns the cost parameter used by this hasher.

Returns:

the cost parameter