Friend recommends bcrypt (+ HMAC given #108), but it should make it easy to use and migrate existing (hopefully hashed) credentials from prior authentication regimes. Methods to support for verifying credentials include:

• plain text
• MD4
• MD5
• SHA-1, -256, -512

This should basically cover people coming from e.g. spring-security. At no point should Friend allow anyone to hash new passwords using these methods.

/cc @abedra