Preferred BCrypt.Net implementation

Question

There are a few different ports of BCrypt.net out there and it's very hard to tell which is the "best".

Has anyone taken the time to review them and come to any conclusion as to which project to patronize? I'm most interested in which has the most active community of developers. Of course feature set, effectiveness, simplicity and documentation are nice too :)

Here is the list of BCrypt.Net implementations I was able to track down:

Derek Slager

As far as I can tell, this is the first port and has not been updated in a while. Version 0.1

Google Code

The user posted Derek Slager's copy to google code and made some improvements. Version 0.3

NuGet

Visual studio's only NuGet version, it's a compiled copy with no source so I can't know anything about it for sure. It does appear to support a new function only available in the Version 0.3 Google Code edition. It lists no support site and I can't tell if it's open source and has no attribution of any kind (A bit sketchy). Version 1.0, 213 downloads.

Code Plex

This seems to be a completely independent port with no relation to Derek Slager's port. It appears to have some semi-regular updates. Version R5, 140 downloads.

Is this list complete? Is there any reason to pick one over the other?

Answer 1

Initially reviewed these in Feb 2013, updated with info from the comments by Justin and Coulton, and to reflect my current use.

The more recent of these appear to be secure, or at least "without known bugs". (There are other weaknesses in bcrypt but they are algorithmic rather than code-related. I assume that if you are using bcrypt you already know about those.)

The libraries listed in the question are all based on the jBCrypt code (except maybe CryptSharp, no idea there), which received bug fixes in Feb 2010 to fix the "weak entropy" security advisory. (http://www.mindrot.org/files/jBCrypt/internat.adv)

Breakdown:

• The Codeplex port of BCrypt was started in late 2010 (checking in Dec), and was updated to more recent sources in 2013. It is almost certainly safe, and available on NuGet (https://www.nuget.org/packages/BCrypt-Official/).
• CryptSharp (http://www.zer7.com/software/cryptsharp) is a living, supported project that looks very well done, but I have not evaluated it in depth. Definitely worth checking out. Also available on NuGet (http://www.nuget.org/packages/CryptSharpOfficial/).
• The Google Code version changelog indicates that it incorporates the Feb 2010 `jBCrypt` bug fixes. But that's kind of ancient and dead.
• Derek Slager's 2007 port probably does **not** have these fixes, I think you should avoid it.

Rough timeline, based on from the revision control change logs:

1. Derek Slager made a port of jBCrypt in 2007
2. This was imported into Google Code and updated somewhat in Oct 2010.
3. The Codeplex code by Ryan D. Emerle started with a later version of jBCrypt as its source (late 2010). This import is dated *after* the last change to Google Code's version. This was updated to the latest source in Nov 2013.
4. CryptSharp was initially released in Nov 2010, with regular releases through the present (Dec 2014). Written from scratch??

I am currently using the Codeplex version, as it appears to be maintained, and comes up early in the google search results.

On the 2011 crypt_blowfish bug: (j)BCrypt.net is a stand-alone implementation of the algorithm, and does not depend on the unix crypt_blowfish library. So it should not be affected at all. It's overdue for a rewrite to support $2y$ format, though.