Programming language: Java
License: Apache License 2.0
Tags: Security     Projects    
Latest version: v1.6.2

Password4j alternatives and similar libraries

Based on the "Security" category.
Alternatively, view password4j alternatives based on common mentions on social networks and blogs.

  • Tink

    DISCONTINUED. Tink is a multi-language, cross-platform, open source library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse.
  • DependencyCheck

    OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
  • Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
    Promo www.influxdata.com
    InfluxDB Logo
  • OpenAM

    OpenAM is an open access management solution that includes Authentication, SSO, Authorization, Federation, Entitlements and Web Services Security.
  • Topaz

    Cloud-native authorization for modern applications and APIs
  • SSLContext-Kickstart

    ๐Ÿ” A lightweight high level library for configuring a http client or server based on SSLContext or other properties such as TrustManager, KeyManager or Trusted Certificates to communicate over SSL TLS for one way authentication or two way authentication provided by the SSLFactory. Support for Java, Scala and Kotlin based clients with examples. Available client examples are: Apache HttpClient, OkHttp, Spring RestTemplate, Spring WebFlux WebClient Jetty and Netty, the old and the new JDK HttpClient, the old and the new Jersey Client, Google HttpClient, Unirest, Retrofit, Feign, Methanol, Vertx, Scala client Finagle, Featherbed, Dispatch Reboot, AsyncHttpClient, Sttp, Akka, Requests Scala, Http4s Blaze, Kotlin client Fuel, http4k Kohttp and Ktor. Also gRPC, WebSocket and ElasticSearch examples are included
  • Passay

    Password policy enforcement for Java.
  • Kalium

    DISCONTINUED. Java binding to the Networking and Cryptography (NaCl) library with the awesomeness of libsodium
  • Jwks RSA

    JSON Web Key Set parser.
  • OTP-Java

    A small and easy-to-use one-time password generator library for Java implementing RFC 4226 (HOTP) and RFC 6238 (TOTP).
  • SecurityBuilder

    Fluent builders with typesafe API for the JCA
  • JObfuscator

    JObfuscator is a source code obfuscator for the Java language. Protect Java source code & algorithms from hacking, cracking, reverse engineering, decompilation & technology theft.
  • jwt-java

    JSON Web Token implementation for Java according to RFC 7519. Easily create, parse and validate JSON Web Tokens using a fluent API.

Do you think we are missing an alternative of Password4j or a related project?

Add another 'Security' Library


Build Status

Build Status Maven Central Java 8 or higher Android 5.0 or higher Mentioned in Awesome Java

Quality Gate Status Security Rating Reliability Rating Maintainability Rating Coverage

Password4j is a Java user-friendly cryptographic library for encrypting and verifying passwords with different Key derivation functions (KDFs) and Cryptographic hash functions (CHFs).

Algorithms can be configured programmatically or through a property file in your classpath see Configuration section.

The configurations are mostly dependent on your environment. Password4j delivers a tool that can create a set of optimal parameters based on the system performance and the desired maximum computational time see Performance section.


The library fully supports Argon2, bcrypt, scrypt and PBKDF2 and can produce and handle cryptographic salt and pepper.


Wiki javadoc

The full documentation can be found here. For a quick start you can follow the instuctions in the README.md.

The javadoc can be found here.


Password4j runs on Java 8 or higher versions by any vendor. It is compatible with Android API 21+ as well.

The artifacts are deployed to Maven Central. Add the dependency of the latest version to your pom.xml:



Password4j provides three main features: password hashing, hash checking and hash updating.

Hash the password

Here it is the easiest way to hash a password with a CHF (scrypt in this case). Salt and pepper may be optionally added to the builder:


The same structure can be adopted for the other CHFs, not just for scrypt.

Verify the hash

With the same ease you can verify the hash. Salt and pepper may be optionally added to the builder (Argon2 in this case):


The same structure can be adopted for the other algorithms, not just for Argon2. Take in account that Argon2, bcrypt and scrypt store the salt inside the hash, so the addSalt() method is not needed.


Update the hash

When a configuration is not considered anymore secure you can refresh the hash with a more modern algorithm like this:


Or if you want to switch from a CHF to another one:


List of supported algorithms

Key derivation Functions Since Notes
PBKDF2 1.0.0 Depending on the Security Services your JVM provides
bcrypt 1.0.0
scrypt 1.0.0
Argon2 1.5.0
Cryptographic Hash Functions Since Notes
MD Family 1.4.0
SHA1 Family 1.4.0
SHA2 Family 1.4.0
SHA3 FAmily 1.4.0 Depending on the Security Providers your JVM provides

Unsecure Algorithms

Many systems may still use unsecure algorithms for storing the passwords, like MD5 or SHA-256. You can easily migrate to stronger algorithms with Password4j



Password4j makes available a portable way to configure the library.

With the property file psw4j.properties put in your classpath, you can define the parameters of all the supported CHFs or just the CHF(s) you need. Alternatively you can specify a custom path with the system property -Dpsw4j.configuration

```shell script java -Dpsw4j.configuration=/my/path/to/some.properties ...

Here's a basic configuration (please do not use it in production, but instead start a benchmark session in your target environment<sup>see [Performance section](#Performance)</sup>)
### Argon2

### bcrypt
# logarithmic cost (cost = 2^12)

### scrypt
# N
# r
# p
# length

### PBKDF2
# with HMAC-SHA256
# 64000 iterations
# derived key of 256bit 

### Legacy MessageDisgest
# algorithm
# append/prepend salt

Additionally you can define here your shared pepper


and use it like this

// Hash

// Verify
Password.check("password", "hash").addPepper().withScrypt();

SecureRandom may be instantiated and used through SecureRandom.getInstanceStrong() to generate salts and peppers.


but make sure that your JVM supports it and it points to a non-blocking source of entropy, otherwise you may experience huge performance dropssee SecureRandom.


This tool must be used in the target system because performances may vary on different environments.

Password4j is delivered with a tool that helps the developers to choose the right parameters for a specific CHF.

The class SystemChecker can be used to find these optimal values.

In the wiki you can find how to configure PBKDF2, bcrypt, scrypt and Argon2 depending on your responsiveness requirements.


Password4j is compatible with JCA. See this project for more details.


GitHub issues GitHub closed issues

Please read [CONTRIBUTING.md](CONTRIBUTING.md) for details on our code of conduct, and the process for submitting pull requests to us.


SemVer 2.0.0

We use SemVer for versioning.

For the versions available, see the releases on this repository.


GitHub contributors

  • David Bertoldi - Main Maintainer - firaja

See also the list of contributors who participated in this project.



This project is licensed under the Apache License 2.0 License - see the [LICENSE](LICENSE) file for details


GitHub Release Date

See the [CHANGELOG.md](CHANGELOG.md) file for a more detailed description of each release.

*Note that all licence references and agreements mentioned in the Password4j README section above are relevant to that project's source code only.