The Password4j encoders should support matching passwords that were encoded with different parameters than the current encoder configuration. This can be achieved using Password4j's static getInstanceFromHash(String) methods that extract parameters from the encoded hash.
Affected Classes BcryptPassword4jPasswordEncoder - supports BcryptFunction.getInstanceFromHash(String) Argon2Password4jPasswordEncoder - supports Argon2Function.getInstanceFromHash(String) ScryptPassword4jPasswordEncoder - supports ScryptFunction.getInstanceFromHash(String)
Current Limitation Currently, these encoders can only match passwords that were encoded with the exact same parameters as the current encoder configuration.
Expected Enhancement Enhance the matchesNonNull method to extract algorithm parameters from the encoded password hash and use those parameters for matching, allowing passwords encoded with different parameters to be validated correctly.
Note Not all Password4j implementations support parameter extraction from hashes: ✅ BCrypt, Argon2, SCrypt - support getInstanceFromHash(String) ❌ PBKDF2, Balloon Hashing - do not include parameters in the hash format used by Password4j
Implementation Approach For supported algorithms, modify the matching logic to: Try matching with current encoder configuration first (for performance) If that fails, extract parameters from the hash using getInstanceFromHash(String) Use the extracted function for matching