2
votes

Hello Everyone!

I am still fairly new to Java programming, so please forgive me if this question is not thorough enough.

I am trying to find a way to salt and hash my passwords in Java for a web app that requires a password login.

I tried to use the Bouncy Castle bcrypt and scrypt classes in order to get a method of salting, hashing, and password verification only to find out that there is no password verification method in either one of these classes. If I am incorrect in this assessment, please let me know what the method is for password verification or if I am missing something.

As an alternative, I have decided to try out bcrypt instead before I just break down and go to PDBKF2 since there is more documentation out there for that instead of bcrypt or scrypt.

The problem that I am running into is that I found Mindrot's bcrypt at this website: http://www.mindrot.org/projects/jBCrypt/#download , but my concern is that it hasn't been updated in about two years. I had a developer at my work tell me to only use encryption methods that are being constantly updated within the past six months, so it makes me really nervous to even consider it.

Has anyone out there used jBcrypt recently? Is it still something that I can use for my project?

If not, where is somewhere reliable that I can get either bcrypt or scrypt with password verification?

Thanks in advance!

1
jasypt. Click the link, search for "StrongPasswordEncryptor". Also, that is crazy. Most cryptographic software does not require constant updating. If it did, we'd all use one-time pads and be done with it.Elliott Frisch
Thanks Elliot! Do you think this is better than bcrypt?Perdue
I think it's about the easiest out there to use, define "better".Elliott Frisch
Well, I guess I have seen so much debate between the different decryption methods, I just have been at a loss as to which ones to use.Perdue
org.bouncycastle.crypto.generators.OpenBSDBCrypt.checkPassword(String, char[])Maarten Bodewes

1 Answers

0
votes

You should not worry too much about jBcrypt, as far as I know, is a widely used library, and if you check author's webpage you will see that the library has been updated to resolve security issues and bugs.

The code is not so big and you can take a look, specifically, check the tests.