我应该在Java中使用jBcrypt或PBKDF2进行密码加密吗？

Question

Hello Everyone!

I am still fairly new to Java programming, so please forgive me if this question is not thorough enough.

I am trying to find a way to salt and hash my passwords in Java for a web app that requires a password login.

I tried to use the Bouncy Castle bcrypt and scrypt classes in order to get a method of salting, hashing, and password verification only to find out that there is no password verification method in either one of these classes. If I am incorrect in this assessment, please let me know what the method is for password verification or if I am missing something.

As an alternative, I have decided to try out bcrypt instead before I just break down and go to PDBKF2 since there is more documentation out there for that instead of bcrypt or scrypt.

The problem that I am running into is that I found Mindrot's bcrypt at this website: http://www.mindrot.org/projects/jBCrypt/#download , but my concern is that it hasn't been updated in about two years. I had a developer at my work tell me to only use encryption methods that are being constantly updated within the past six months, so it makes me really nervous to even consider it.

Has anyone out there used jBcrypt recently? Is it still something that I can use for my project?

If not, where is somewhere reliable that I can get either bcrypt or scrypt with password verification?

Thanks in advance!

Answer 1

You should not worry too much about jBcrypt, as far as I know, is a widely used library, and if you check author's webpage you will see that the library has been updated to resolve security issues and bugs.

The code is not so big and you can take a look, specifically, check the tests.