jBCrypt alternative? Officially threadsafe, with a bigger community

Question

To hash passwords (one-way), it looks like bcrypt is the best.

I am about to start using jBCrypt, but I have a few worries:

• No mailing list.
• Very low activity overall.
• Bug tracker has only ever had 1 issue, and this 1 issue has not received any sign of activity.
• Only 3 versions have ever been released.
• jBCrypt does not claim to be threadsafe. While most people seem to agree that the source code looks threadsafe, a clear statement on the official website would be much better.

Is there a similar, more mainstream library that everyone is using, and that I missed somehow? (Java, open source)
Or is it actually the "most mainstream" one?

Answer 1

BCrypt is a clever but 'simple' algorithm. The Java code is 700 lines long (including comments, and 300 lines of hexadecimal constants) which is simply a port of the original code

That's not a complicated framework with dozens of modules. It can't have regular announcement about milestones reached. It just works... You'll probably have 1 change in the next few years due to a security issue found by a particularly smart security researcher, but you won't have a community built around that, improvements are not expected as the original algorithm is already implemented

Tests are here to prove the consistency with the C version, I would choose it