Support Parameter-Based Hash Matching for Password4j Encoders #17882
Description
The Password4j encoders should support matching passwords that were encoded with different parameters than the current encoder configuration. This can be achieved using Password4j's static getInstanceFromHash(String) methods that extract parameters from the encoded hash.
Affected Classes
BcryptPassword4jPasswordEncoder - supports BcryptFunction.getInstanceFromHash(String)
Argon2Password4jPasswordEncoder - supports Argon2Function.getInstanceFromHash(String)
ScryptPassword4jPasswordEncoder - supports ScryptFunction.getInstanceFromHash(String)
Current Limitation
Currently, these encoders can only match passwords that were encoded with the exact same parameters as the current encoder configuration.
Expected Enhancement
Enhance the matchesNonNull method to extract algorithm parameters from the encoded password hash and use those parameters for matching, allowing passwords encoded with different parameters to be validated correctly.
Note
Not all Password4j implementations support parameter extraction from hashes:
✅ BCrypt, Argon2, SCrypt - support getInstanceFromHash(String)
❌ PBKDF2, Balloon Hashing - do not include parameters in the hash format used by Password4j
Implementation Approach
For supported algorithms, modify the matching logic to:
Try matching with current encoder configuration first (for performance)
If that fails, extract parameters from the hash using getInstanceFromHash(String)
Use the extracted function for matching