Password4j Versions Save

Fixed

• Multi thread algorithms use daemon threads in order to not block the application shutdown if there is no explicit System.exit() (#151)
• Password4j works even when there is no access to psw4j.properties file due to restrictive security policies (#153)

Fixed

• Argon2Function#internalHash(...) used a double conversion from byte[] to String and back to byte[] that created inconsistencies in `Hash#salt (#143)

Changed

• Hash#Hash(HashingFunction, String, byte[], String) marked deprecated

Added

• Balloon Hashing implementation (#131)

Fixed

• Parallelism is achieved by an ExecutorService instantiated during object creation instead of during the hashing process

Changed

• Banner is disabled by default

Fixed

• Wrong hashes when the password contains non ISO 8859-1 characters (#126)

Fixed

• Suppressed warning for usage of java.security.AccessController. This is how the java development team fixed the problem for the moment (#119)
• In some custom JDK implementations java.security.Provider#getServices() can return null instead of empty java.security.Provider.Service[] (#120)

Fixed

• Bcrypt used negative rounds when cost factor = 31 (#114)

Added

• APIs now accepts byte[] arguments (#93)
• .forceUpdate() forces Password4j to recalculate a new hash even if the parameters didn't change (#102)

Changed

• .andUpdate() no more recalculates the hash if the algorithm, salt or pepper changed from the hash found in Password.check() (#102)

Fixed

• Inconsistency between public and internal APIs for Argon2 (#93)

Fixed

• Inconsistency of Argon2 with some kind of salts generated from external libraries #92

Added

• Application banner (#83).

Fixed

• Typo for issue #80

Removed

• Dependencies to Apache Commons Text, which had been vulnerable to arbitrary code execution in the past (#84).

Changed

• Algorithms' default values are aligned to OWASP recommendation (#80)