Also, from experience: virtually nobody uses the good high-level libraries. What library did you use last time you built a feature, like a password reset token, that relied on crypto?
What library _should_ I be using for sending out a password reset token?
(I realize that by asking I am proving your point. I would still like to know the answer.)
You shouldn't use crypto at all (for instance, for reset tokens, you can just use long random numbers as keys), but if you have to use a library, use PGP, NACL, or Keyczar.
What library _should_ I be using for sending out a password reset token?
(I realize that by asking I am proving your point. I would still like to know the answer.)