9

To hash passwords (one-way), it looks like bcrypt is the best.

I am about to start using jBCrypt, but I have a few worries:

Is there a similar, more mainstream library that everyone is using, and that I missed somehow? (Java, open source)
Or is it actually the "most mainstream" one?

Community
  • 1
  • 1
Nicolas Raoul
  • 55,003
  • 52
  • 197
  • 338
  • It should be thread safe (http://code.google.com/p/jbcrypt/issues/detail?id=2) – JustinKSU Jan 17 '13 at 00:02
  • Now that the project is on Google and has a Google Group, maybe it will gain more traction. http://code.google.com/p/jbcrypt/ – JustinKSU Jan 17 '13 at 00:03
  • FWIW, the cited question (and accepted answer) claiming that jBcrypt is not threadsafe is dubious / wrong. See http://stackoverflow.com/questions/3949415/is-jbcrypt-0-3-threadsafe for more recent information. – cemerick Jul 19 '13 at 16:14
  • its now on github https://github.com/djmdjm/jBCrypt – Dominik Dorn May 18 '17 at 22:53

1 Answers1

7

BCrypt is a clever but 'simple' algorithm. The Java code is 700 lines long (including comments, and 300 lines of hexadecimal constants) which is simply a port of the original code

That's not a complicated framework with dozens of modules. It can't have regular announcement about milestones reached. It just works... You'll probably have 1 change in the next few years due to a security issue found by a particularly smart security researcher, but you won't have a community built around that, improvements are not expected as the original algorithm is already implemented

Tests are here to prove the consistency with the C version, I would choose it

Grooveek
  • 9,639
  • 1
  • 25
  • 34
  • 1
    I created issues to address each of my worries, and now it looks like the project is getting a bit of activity after all :-) I decided to integrate this library and it seems to work well so far. – Nicolas Raoul Jan 04 '12 at 03:59