jBCrypt
jBCrypt is a Java™ implementation of OpenBSD's Blowfish password hashing code, as described in "A Future-Adaptable Password Scheme" by Niels Provos and David Mazières.
This system hashes passwords using a version of Bruce Schneier's Blowfish block cipher with modifications designed to raise the cost of off-line password cracking and frustrate fast hardware implementation. The computation cost of the algorithm is parametised, so it can be increased as computers get faster. The intent is to make a compromise of a password database less likely to result in an attacker gaining knowledge of the plaintext passwords (e.g. using John the Ripper).
There seems to be a lack of good password hashes for Java - the top two hits in Google (as of 2006/05/24) for "Java password hash" and "Java password encryption" both offer terrible advice: one uses an unsalted hash which allows reverse dictionary lookup of passwords and the other recommends reversible encryption, which is rarely needed and should only be used as a last resort.
jBCrypt is licensed under a ISC/BSD licence (see the LICENSE file for details) and ships with a set of JUnit unit tests to verify correct operation of the library and compatibility with the canonical C implementation of the bcrypt algorithm.
The API is very simple:
// Hash a password for the first time String hashed = BCrypt.hashpw(password, BCrypt.gensalt()); // gensalt's log_rounds parameter determines the complexity // the work factor is 2**log_rounds, and the default is 10 String hashed = BCrypt.hashpw(password, BCrypt.gensalt(12)); // Check that an unencrypted password matches one that has // previously been hashed if (BCrypt.checkpw(candidate, hashed)) System.out.println("It matches"); else System.out.println("It does not match");
News
jBCrypt-0.4 is released. This corrects an integer overflow that occurs with very large log_rounds values, first reported by Marcus Rathsfeld.
SECURITY: I have just released jBCrypt-0.3, to correct a security vulnerability reported by Aliaksandr Radzivanovich. Please read the security advisory for details of the problem.
I have just released jBCrypt-0.2, with a couple of correctness, typo and API tweaks (fully backwards compatible). Enjoy!
Thu, 10 Apr 2008: C#/.NET port
Derek Slager has ported jBCrypt to C#/.NET, and kindly released it under the same ISC-style license as jBCrypt. His work is available here.
Wed, 24 May 2006: jBCrypt-0.1 released
The first release, jBCrypt-0.1 is out.
Download
jBCrypt is available here: