This website does readability filtering of other pages. All styles, scripts, forms and ads are stripped. If you want your website excluded or have other feedback, use this form.

jBCrypt - strong password hashing for Java

< January 2015 Su Mo Tu We Th Fr Sa 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31


jBCrypt is a Java™ implementation of OpenBSD's Blowfish password hashing code, as described in "A Future-Adaptable Password Scheme" by Niels Provos and David Mazières.

This system hashes passwords using a version of Bruce Schneier's Blowfish block cipher with modifications designed to raise the cost of off-line password cracking and frustrate fast hardware implementation. The computation cost of the algorithm is parametised, so it can be increased as computers get faster. The intent is to make a compromise of a password database less likely to result in an attacker gaining knowledge of the plaintext passwords (e.g. using John the Ripper).

There seems to be a lack of good password hashes for Java - the top two hits in Google (as of 2006/05/24) for "Java password hash" and "Java password encryption" both offer terrible advice: one uses an unsalted hash which allows reverse dictionary lookup of passwords and the other recommends reversible encryption, which is rarely needed and should only be used as a last resort.

jBCrypt is licensed under a ISC/BSD licence (see the LICENSE file for details) and ships with a set of JUnit unit tests to verify correct operation of the library and compatibility with the canonical C implementation of the bcrypt algorithm.

The API is very simple:

// Hash a password for the first time
String hashed = BCrypt.hashpw(password, BCrypt.gensalt());

// gensalt's log_rounds parameter determines the complexity
// the work factor is 2**log_rounds, and the default is 10
String hashed = BCrypt.hashpw(password, BCrypt.gensalt(12));

// Check that an unencrypted password matches one that has
// previously been hashed
if (BCrypt.checkpw(candidate, hashed))
	System.out.println("It matches");
	System.out.println("It does not match");


Fri, 30 Jan 2015: jBCrypt-0.4

jBCrypt-0.4 is released. This corrects an integer overflow that occurs with very large log_rounds values, first reported by Marcus Rathsfeld.

[permanent link]

Mon, 01 Feb 2010: jBCrypt-0.3

SECURITY: I have just released jBCrypt-0.3, to correct a security vulnerability reported by Aliaksandr Radzivanovich. Please read the security advisory for details of the problem.

[permanent link]

Wed, 23 Apr 2008: jBCrypt-0.2

I have just released jBCrypt-0.2, with a couple of correctness, typo and API tweaks (fully backwards compatible). Enjoy!

[permanent link]

Thu, 10 Apr 2008: C#/.NET port

Derek Slager has ported jBCrypt to C#/.NET, and kindly released it under the same ISC-style license as jBCrypt. His work is available here.

[permanent link]

Wed, 24 May 2006: jBCrypt-0.1 released

The first release, jBCrypt-0.1 is out.

[permanent link]


jBCrypt is available here: