Properties

For increasing portability, you can define some properties in the psw4j.properties file, so you don't have to recompile your code if you want to change some options.

Declaring psw4j.properties path

The properties file should always be located in your resources folder and named psw4j.properties. If this is not an option for your project, you can define a custom path with the system property -Dpsw4j.configuration=path/to/my/file.properties

e.g.

java -Dpsw4j.configuration=path/to/my/file.properties ...

Properties

Globals

global.random.strong (boolean)

It defines if Password4j should use SecureRandom instantiated with SecureRandom.getInstanceStrong() to generate salts, peppers and any object which requires a source of randomness.

Make sure that your JVM supports it and it points to a non-blocking source of entropy, otherwise you may experience huge performance drops.

You can use the source with

Random random = AlgorithmFinder.getSecureRandom();

If omitted, the default value is false

global.pepper (String)

It defines the cryptographic pepper, that should be never be stored in the database (or not in the same hashes' database at least).

This property is used any time you use .addPepper() when hashing or checking and .addNewPepper() when updating the hash.

Additionally you can read this value with

String pepper = PepperGenerator.get();

If omitted, the default value is null.

Message Digest

This set of properties is used when using a MessageDigestFunction (.withMessageDigest()) or AlgorithmFinder.getMessageDigestInstance()

hash.md.algorithm (String)

Defines the message digest algorithm supported by your JVM.

If omitted, the default value is SHA512

hash.md.salt.option (String)

Choose between append or prepend to define how the pepper should be concatenated with the plain text password.

If omitted, the default value is append

PBKDF2

This set of properties is used when using a PBKDF2Function (.withPBKDF2()), a CompressedPBKDF2Function (.withCompressedPBKDF2()), AlgorithmFinder.getPBKDF2Instance() or AlgorithmFinder.getCompressedPBKDF2Instance()

hash.pbkdf2.algorithm (String)

It defines the pseudo-random function from the HMAC family.

If omitted, the default value is SHA512

hash.pbkdf2.iterations (int)

It defines the number of times the pseudo-random function is applied to the password along with the salt

If omitted, the default value is 64000

hash.pbkdf2.length (int)

It defines the desired length of the final derived key.

If omitted, the default value is 512

hash.pbkdf2.delimiter (char)

It defines the delimiter used in the compressed form (applicable only with CompressedPBKDF2Function.

If omitted, the default value is $

bcrypt

hash.bcrypt.minor (char)

It defines the minor version of bcrypt (a, x, y or b). The suggested version of the algorithm is b, the latest one. The other versions should be used only for backward compatibility reasons and we recommend to update your hashes as soon as possible.

If omitted, the default value is b

hash.bcrypt.rounds (int)

Defines the number of rounds expressed as exponent of base 2.

If omitted, the default value is 10 (2¹⁰ = 1024)

Example file

The following is an example file and should never be used in production.

global.random.strong=false

global.pepper=AlicePepper

hash.md.algorithm=SHA-512
hash.md.salt.option=append

hash.pbkdf2.algorithm=SHA256
hash.pbkdf2.iterations=64000
hash.pbkdf2.length=256
hash.pbkdf2.delimiter=$

hash.bcrypt.minor=b
hash.bcrypt.rounds=12

hash.scrypt.workfactor=16384
hash.scrypt.resources=16
hash.scrypt.parallelization=1

hash.argon2.memory=1024
hash.argon2.iterations=5
hash.argon2.length=64
hash.argon2.parallelism=3
hash.argon2.type=id
hash.argon2.version=19