1616 */
1717package org .apache .commons .codec .digest ;
1818
19+ import java .security .SecureRandom ;
20+ import java .util .concurrent .ThreadLocalRandom ;
21+
1922import org .apache .commons .codec .Charsets ;
2023
2124/**
@@ -35,7 +38,12 @@ public class Crypt {
3538 * <p>
3639 * A random salt and the default algorithm (currently SHA-512) are used. See {@link #crypt(String, String)} for
3740 * details.
38- *
41+ * </p>
42+ * <p>
43+ * A salt is generated for you using {@link ThreadLocalRandom}; for more secure salts consider using
44+ * {@link SecureRandom} to generate your own salts and calling {@link #crypt(byte[], String)}.
45+ * </p>
46+ *
3947 * @param keyBytes
4048 * plaintext password
4149 * @return hash value
@@ -55,7 +63,9 @@ public static String crypt(final byte[] keyBytes) {
5563 * @param keyBytes
5664 * plaintext password
5765 * @param salt
58- * salt value
66+ * real salt value without prefix or "rounds=". The salt may be null, in which case a salt is generated for
67+ * you using {@link ThreadLocalRandom}; for more secure salts consider using {@link SecureRandom} to
68+ * generate your own salts.
5969 * @return hash value
6070 * @throws IllegalArgumentException
6171 * if the salt does not match the allowed pattern
@@ -80,7 +90,12 @@ public static String crypt(final byte[] keyBytes, final String salt) {
8090 * Calculates the digest using the strongest crypt(3) algorithm.
8191 * <p>
8292 * A random salt and the default algorithm (currently SHA-512) are used.
83- *
93+ * </p>
94+ * <p>
95+ * A salt is generated for you using {@link ThreadLocalRandom}; for more secure salts consider using
96+ * {@link SecureRandom} to generate your own salts and calling {@link #crypt(String, String)}.
97+ * </p>
98+ *
8499 * @see #crypt(String, String)
85100 * @param key
86101 * plaintext password
@@ -140,7 +155,9 @@ public static String crypt(final String key) {
140155 * @param key
141156 * plaintext password as entered by the used
142157 * @param salt
143- * salt value
158+ * real salt value without prefix or "rounds=". The salt may be null, in which case a salt is generated for
159+ * you using {@link ThreadLocalRandom}; for more secure salts consider using {@link SecureRandom} to
160+ * generate your own salts.
144161 * @return hash value, i.e. encrypted password including the salt string
145162 * @throws IllegalArgumentException
146163 * if the salt does not match the allowed pattern
0 commit comments