Question 1

How to migrate from MD5 to Argon2 with Password4j?

Accepted Answer

Use the hash update feature: check the old MD5 hash, then re-hash with Argon2 using Password.check() and .withArgon2(). The README shows an example for migrating from insecure algorithms.

Question 2

Is Password4j better than Spring Security for password hashing?

Accepted Answer

Password4j offers more algorithm choices and flexible configuration, but Spring Security provides deeper integration with Spring ecosystems. Choose based on your need for algorithm variety versus framework compatibility.

Question 3

Does Password4j work on Android without issues?

Accepted Answer

Yes, it's compatible with Android API 21+, but ensure proper testing as performance may vary on mobile devices, and SecureRandom settings need careful handling to avoid blocking.

Question 4

What's the best algorithm in Password4j for new projects?

Accepted Answer

Argon2 is recommended for modern security due to its memory-hard properties, but use the SystemChecker tool to tune parameters based on your system's performance for optimal balance.

Question 5

How to add pepper to passwords in Password4j?

Accepted Answer

Define a global pepper in the property file or use .addPepper() in code, as shown in the Configuration section. Pepper enhances security by adding a secret key to the hash.

Question 6

Can Password4j handle salt automatically?

Accepted Answer

Yes, it automatically generates and manages salt for algorithms like Argon2, bcrypt, and scrypt, but for PBKDF2, you may need to specify it with .addSalt(), per the verification notes.

Password4j

What is Password4j?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions