To hash passwords (one-way), it looks like bcrypt is the best.
I am about to start using jBCrypt, but I have a few worries:
- No mailing list.
- Very low activity overall.
- Bug tracker has only ever had 1 issue, and this 1 issue has not received any sign of activity.
- Only 3 versions have ever been released.
- jBCrypt does not claim to be threadsafe. While most people seem to agree that the source code looks threadsafe, a clear statement on the official website would be much better.
Is there a similar, more mainstream library that everyone is using, and that I missed somehow? (Java, open source)
Or is it actually the “most mainstream” one?
BCrypt is a clever but ‘simple’ algorithm. The Java code is 700 lines long (including comments, and 300 lines of hexadecimal constants) which is simply a port of the original code
That’s not a complicated framework with dozens of modules. It can’t have regular announcement about milestones reached. It just works… You’ll probably have 1 change in the next few years due to a security issue found by a particularly smart security researcher, but you won’t have a community built around that, improvements are not expected as the original algorithm is already implemented
Tests are here to prove the consistency with the C version, I would choose it