password4j VS Tink

Argon2 - https://password4j.com/

This library is much more maintained, can use more algorithms (not only bcrypt) and adopts fulent APIs.

> I wonder what people say when they find a bug despite you using standard crypto?

Not using TLS doesn't automatically mean you need to "roll your own crypto". They could have used a well documentend library such as Google Tink[1] instead of doing their own crypto.

[1] https://github.com/google/tink

I sort of rewrote google's tink project in rust. There is already a rust version by project oak but it didn't exactly jive.

PassManager uses the Tink library for encryption, which provides state-of-the-art** security for your passwords. Tink uses industry-standard encryption algorithms like AES to ensure that your passwords are kept safe from prying eyes.

Note that in the example jwt refers to the Tink jwt package.

What I can't tell is if the new version had any fixes related to the bug being discussed here

Even the slightest hiccup could leave me vulnerable. I don't want to roll my own encryption. I want to use something like tink (a secure crypto library by Google) but unfortunately they don't support node or Javascript (there's a library that was published 2 years ago).

I dont have an answer for you, but 2 resources that are worth checking out: https://developer.android.com/guide/topics/security/cryptography and https://developers.google.com/tink

> Do C (or something where the mapping to C is known), and lots of languages have FFI libs where wrapping that is fairly trivial

That is an interesting idea, yet still a lot of work, sadly. I was hoping somebody had done the legwork already. I looked at Tink [1] and age [2] based on my co-worker's recommendation, but they all seem to have limited implementations in other languages.

[1] https://github.com/google/tink

[2] https://github.com/FiloSottile/age