1
00:00:00,330 --> 00:00:07,410
In this video, let's try to look deep into your password order that we have used previously, if you

2
00:00:07,410 --> 00:00:14,100
can recall, previously reconfigurable, been of a password encoded that should implement and use no

3
00:00:14,100 --> 00:00:15,010
password encoded.

4
00:00:15,030 --> 00:00:23,010
So this is an indication to the spring framework that all our passwords validations should follow the

5
00:00:23,010 --> 00:00:25,640
implementation provided in no password.

6
00:00:25,650 --> 00:00:32,940
And for the reason that it is mentioned as deprecatory spring security, don't want us to use this for

7
00:00:32,940 --> 00:00:39,330
any protection or any applications where we have a lot of sense to data inside that it will show as

8
00:00:39,450 --> 00:00:40,140
deprecated.

9
00:00:40,470 --> 00:00:42,030
First, let's try to look into it.

10
00:00:42,180 --> 00:00:43,480
What is password encoder?

11
00:00:43,560 --> 00:00:50,220
We have look into it in the previous video, but if you can see the code inside the password encoder,

12
00:00:50,550 --> 00:00:58,530
it is from this package, which is like crypto package and it is an interface which has three methods.

13
00:00:58,860 --> 00:01:02,400
The very first measure that framework will call is matches.

14
00:01:02,700 --> 00:01:09,210
It will try to match with the password that we have received and whatever encoded password we already

15
00:01:09,210 --> 00:01:09,480
have.

16
00:01:09,690 --> 00:01:16,520
So in the process of matching spring security, also called encode implementation to convert this RA

17
00:01:16,530 --> 00:01:23,670
password into encoded password so that it can compare the newly generated encoded password with the

18
00:01:23,670 --> 00:01:27,060
already stored encoded password for similarities.

19
00:01:27,270 --> 00:01:34,800
And you can see this method will never decode our what we stored inside the database.

20
00:01:35,130 --> 00:01:42,480
The stored password itself is never decoded, which isn't truly an advantage in terms of hashing algorithms.

21
00:01:42,930 --> 00:01:48,840
And at the same time we have an upgrade encoding method and you can see inside an interface we have

22
00:01:48,840 --> 00:01:51,300
an implementation concrete method.

23
00:01:51,840 --> 00:01:59,100
That's because from one point eight inside interface, we can have default methods with a different

24
00:01:59,100 --> 00:02:00,150
implementation inside.

25
00:02:00,420 --> 00:02:03,940
So by default, the implementation is to return false.

26
00:02:04,320 --> 00:02:12,100
And now let's try to go and look into our know our password and we can see the normal password encoder

27
00:02:12,150 --> 00:02:13,570
implements password encoder.

28
00:02:14,100 --> 00:02:20,730
The encode method is doing nothing, just converting our car sequence of RAS password that we received

29
00:02:20,730 --> 00:02:21,380
into a stream.

30
00:02:21,390 --> 00:02:22,730
There is no end quote.

31
00:02:23,100 --> 00:02:32,100
Encryption on hashing is happening, which means by default, spring security will not do anything to

32
00:02:32,100 --> 00:02:36,620
your password and it will always return whatever will is as a string.

33
00:02:36,930 --> 00:02:45,360
That's why this interface is not recommended for any applications where the main sense to data and even

34
00:02:45,360 --> 00:02:54,120
you can see the matches also, it will simply try to compare whatever we receive, food and water we

35
00:02:54,120 --> 00:02:55,200
stored in the database.

36
00:02:55,350 --> 00:03:03,090
And in this scenario, that means whenever we try to create user or user update password using our user

37
00:03:03,090 --> 00:03:06,610
details manager implementation, it will call this goal.

38
00:03:06,960 --> 00:03:14,160
And while storing into the database also, it won't do encoding encryption or hashing it, it always

39
00:03:14,160 --> 00:03:15,510
served it as a plaintext.

40
00:03:15,720 --> 00:03:19,620
That's where matches also will end up comparing it as a plain string.

41
00:03:19,830 --> 00:03:22,580
And we are using the equals method here.

42
00:03:22,920 --> 00:03:25,500
So that's a no our password encoder.

43
00:03:26,070 --> 00:03:32,610
Due to this reason we saved password inside our database in plain text.

44
00:03:32,610 --> 00:03:34,020
One, two, three, four, five.

45
00:03:34,260 --> 00:03:40,140
And even when users enter the same password, one, two, three, four, five, it will compare both

46
00:03:40,140 --> 00:03:40,590
of them.

47
00:03:40,770 --> 00:03:46,890
And since those are matching in terms of plaintext competition, it is allowing the authentication.

48
00:03:47,220 --> 00:03:50,820
So there is no security enforcement happening here.

49
00:03:51,090 --> 00:03:56,850
Everything all the passwords are maintained in the plain text, which is not a valid recommendation.

50
00:03:57,000 --> 00:04:06,660
So that's why let's try to go and use decrypt password encoded in the coming videos so that our application

51
00:04:07,290 --> 00:04:11,490
maintains the password in terms of hashes but not in the plaintext.

52
00:04:11,850 --> 00:04:12,510
Thank you.

53
00:04:12,510 --> 00:04:14,540
And get you in the next review, but.