[jasypt-users] Password length with BouncyCastle AES

[MakkaPakka <luk...@gm...>]

I'm trying to use Jasypt with Bouncy Castle AES and want to clarify what size
password I should/can use.

I've looked at StandardPBEByteEncyptor and it does PBEKeySpec pbeKeySpec =
new PBEKeySpec(this.password.toCharArray()) so I would assume I can use any
length password.

However, anything greater than 7 chars doesn't work.

Here's the tester code.....

private static final void determinePasswordLength() {
        Security.addProvider(new BouncyCastleProvider());
        final StringBuilder sb = new StringBuilder();
        for (int i = 0; i < 1000; ++i) {
            sb.append(i);
            final StandardPBEStringEncryptor encryptor = new
StandardPBEStringEncryptor();
            encryptor.setAlgorithm("PBEWITHSHA256AND128BITAES-CBC-BC");
            encryptor.setPassword(sb.toString());
            try {
                encryptor.encrypt("stuff");
                System.out.println(sb + " works");
            } catch (final EncryptionOperationNotPossibleException e) {
                // System.out.println(sb + " fails");
            }
        }
    }

So I'm guessing there's something I don't understand somewhere, is it to do
with the use of SHA? I've tried SHA and SHA256 and I still get the same
result.

More importantly, how secure is this? I would generally expect to be able to
use longer passwords so as to increase the entropy.

Thanks for any help you can give.


-- 
View this message in context: http://www.nabble.com/Password-length-with-BouncyCastle-AES-tp20790335s21332p20790335.html
Sent from the Jasypt - Users mailing list archive at Nabble.com.