Password hash mechanism


We would like to confirm if Cuba is using bcrypt for Password hash in version 7.2.5 and it is salted with user-id. Is this correct ?

Also how many iterations is used for the password hashing ?

Does this also apply to the REST API addon users ?



It depends, we have a number of modules, please check com.haulmont.cuba.core.sys.encryption.EncryptionModule implementations.

As for the REST API - I don’t quite understand the question. All users are stored in the database in the same way, so you can use any username and password and use it to log in using Generic UI login form, if proper privileges are granted.

Why do you ask this, what are you going to achieve?

We are building some REST API using the Addon. Use authentication is using OAuth. The OAuth user is created in the Cuba admin screen, right ? The IT user is asking:
a) what is the password hash algo we are using (bcrypt is preferred)
b) what salt are we using (we are using user ID)
c) how many iterations of Hashing we do (I don’t know this).

Can you clarify how the standard password algo used ?



a) By default, in the latest CUBA version, bcrypt is used.
b) As for the salt, the BCrypt library internal salt is used as described in BCryptEncryptionModule implementation:

    public String getPasswordHash(UUID userId, String password) {
        String salt = BCrypt.gensalt();
        return BCrypt.hashpw(password, salt);

c) As for iterations, we use default BCrypt constant, now it 10 rounds, see org.mindrot.jbcrypt.BCrypt#gensalt() method:

private static final int GENSALT_DEFAULT_LOG2_ROUNDS = 10;

	public static String gensalt() {
		return gensalt(GENSALT_DEFAULT_LOG2_ROUNDS);

Please have a look at com.haulmont.cuba.core.sys.encryption.BCryptEncryptionModule source code, you will see how BCrypt is used.

You can implement your own encryption module with the desired features and specify it in the settings as described in the documentation: