Welcome to the Java Programming Forums


The professional, friendly Java community. 21,500 members and growing!


The Java Programming Forums are a community of Java programmers from all around the World. Our members have a wide range of skills and they all have one thing in common: A passion to learn and code Java. We invite beginner Java programmers right through to Java professionals to post here and share your knowledge. Become a part of the community, help others, expand your knowledge of Java and enjoy talking with like minded people. Registration is quick and best of all free. We look forward to meeting you.


>> REGISTER NOW TO START POSTING


Members have full access to the forums. Advertisements are removed for registered users.

Page 1 of 2 12 LastLast
Results 1 to 25 of 27

Thread: Using passwords the right way?

  1. #1
    Member
    Join Date
    Oct 2013
    Posts
    78
    Thanks
    55
    Thanked 0 Times in 0 Posts

    Default Using passwords the right way?

    Greetings, I was unsure whether this was supposed to go into theory and questions or what's wrong with my code, I figured since it's more of a question of how to proceed it should go here. Feel free to move the thread to the appropriate location if it is in the wrong section, thank you.

    With that out of the way, let's proceed!

    Up until now I've been storing passwords in String variables and used the
    if(passwordField.getText().equals(adminPassword))
    , but it's my understanding that this is not really secure enough because apparently the password String is then read and for an unknown amount of time it floats around in the memory, vulnerable to rogue software.

    So my question is, what is the right way of using and storing passwords, and how do I go about using it?

    Bonus question, in case anyone knows how or even if it's possible to encrypt .txt files so that they are unreadable to anyone but my application that would be great too!


  2. #2
    Member andbin's Avatar
    Join Date
    Dec 2013
    Location
    Italy
    Posts
    443
    Thanks
    4
    Thanked 122 Times in 114 Posts

    Default Re: Using passwords the right way?

    Quote Originally Posted by Lora_91 View Post
    Up until now I've been storing passwords in String variables and used the
    if(passwordField.getText().equals(adminPassword))
    , but it's my understanding that this is not really secure enough because apparently the password String is then read and for an unknown amount of time it floats around in the memory, vulnerable to rogue software.

    So my question is, what is the right way of using and storing passwords, and how do I go about using it?
    Precisely for this reason, JPasswordField has the method:

    public char[] getPassword()

    so that you can fill the array, after the use, so that password does not remain "somewhere".

    Quote Originally Posted by Lora_91 View Post
    Bonus question, in case anyone knows how or even if it's possible to encrypt .txt files so that they are unreadable to anyone but my application that would be great too!
    It's perfectly possible to encrypt/decrypt a file in Java using the Cryptography API. But it's not an easy topic.
    Andrea, www.andbin.netSCJP 5 (91%) – SCWCD 5 (94%)

    Useful links for Java beginnersMy new project Java Examples on Google Code

  3. The Following User Says Thank You to andbin For This Useful Post:

    Lora_91 (January 23rd, 2014)

  4. #3
    Forum VIP
    Join Date
    Jul 2010
    Posts
    1,676
    Thanks
    25
    Thanked 329 Times in 305 Posts

    Default Re: Using passwords the right way?

    If you wanted to encrypt just the password, and compare it, it is pretty simple to do once you get down to the bone basics.

    Consider the following code:
    /**
    	 * @param toEncode The String to encode
    	 * @return The encoded String
    	 */
    	public static String encodeString(String toEncode) {
    		try {
    			MessageDigest md = MessageDigest.getInstance(algorithm); //algorithm can be: MD5, SHA-1, or SHA-256
    	        byte[] passBytes = toEncode.getBytes();
    	        md.reset();
    	        byte[] digested = md.digest(passBytes);
    	        StringBuffer sb = new StringBuffer();
    	        for(int i=0;i<digested.length;i++){
    	            sb.append(Integer.toHexString(0xff & digested[i]));
    	        }
    	        return sb.toString();
    	    } catch (NoSuchAlgorithmException ex) {
    	        ex.printStackTrace();
    	    }
    	    return toEncode;
    	}

    So, the way this works is that this method accepts your text password and returns an encoded version of that password.
    So, now we get to the question: how do we then compare the passwords?
    Your first instinct will probably be to ask: how do we decode our password so we can compare? The answer is: we don't.
    Instead, we keep our password encoded and, when we have the password to compare, we then encode that new password and compare the encoded passwords. This way you do not actually expose the decoded password. You are comparing the encoded passwords, not the decoded passwords. The downside to this approach is that you cannot "recover" a user's password.
    NOTE TO NEW PEOPLE LOOKING FOR HELP ON FORUM:

    When asking for help, please follow these guidelines to receive better and more prompt help:
    1. Put your code in Java Tags. To do this, put [highlight=java] before your code and [/highlight] after your code.
    2. Give full details of errors and provide us with as much information about the situation as possible.
    3. Give us an example of what the output should look like when done correctly.

    Join the Airline Management Simulation Game to manage your own airline against other users in a virtual recreation of the United States Airline Industry. For more details, visit: http://airlinegame.orgfree.com/

  5. The Following User Says Thank You to aussiemcgr For This Useful Post:

    Lora_91 (January 23rd, 2014)

  6. #4
    Member
    Join Date
    Oct 2013
    Posts
    78
    Thanks
    55
    Thanked 0 Times in 0 Posts

    Default Re: Using passwords the right way?

    Alright, thanks for the responses. =)

    So if I understand this correctly, I can either change all of my passwords from Strings to the Char arrays and somehow handle them like that, or encode the passwords and compare them?

    I believe the encoding of the passwords sounds best since that is the only sensitive bit of information I have stored for every individual user in the software.

    It's not a big deal of a regular user can't recover their password since an admin could always use theirs to reset it, but how would I go about making sure the admin password is handled safely? I've thought about writing in a master password in the code which only I would know and which could be used to reset the admin password, but I believe I've read that it's dangerous to hard code passwords because rogue software might be able to find it. What would be the best course of action in that case, to make sure the admin password can be changed but not by just about anyone? =/

  7. #5
    Member andbin's Avatar
    Join Date
    Dec 2013
    Location
    Italy
    Posts
    443
    Thanks
    4
    Thanked 122 Times in 114 Posts

    Default Re: Using passwords the right way?

    In databases/files (or anywhere a password is permanently stored), it's a good thing not to store passwords in "clear". Instead it's better to store a "hash" of the password (MD5, SHA1, etc...).
    When you receive a password from the user, you "hash" the password and verify if the two hashes match.
    Andrea, www.andbin.netSCJP 5 (91%) – SCWCD 5 (94%)

    Useful links for Java beginnersMy new project Java Examples on Google Code

  8. The Following User Says Thank You to andbin For This Useful Post:

    Lora_91 (January 23rd, 2014)

  9. #6
    Member
    Join Date
    Oct 2013
    Posts
    78
    Thanks
    55
    Thanked 0 Times in 0 Posts

    Default Re: Using passwords the right way?

    Alright, this seems to work:

    (At start.)
    String masterPassword = hashPassword("password");

    (Further down within the same class, shamelessly copied from here.)
       public String hashPassword(String incomingPassword)
        {
            String passwordToHash = incomingPassword;
            String generatedPassword = null;
            try {
                // Create MessageDigest instance for MD5
                MessageDigest messageDigest = MessageDigest.getInstance("MD5");
                //Add password bytes to digest
                messageDigest.update(passwordToHash.getBytes());
                //Get the hash's bytes
                byte[] bytes = messageDigest.digest();
                //This bytes[] has bytes in decimal format;
                //Convert it to hexadecimal format
                StringBuilder stringBuilder = new StringBuilder();
                for(int i=0; i< bytes.length ;i++)
                {
                    stringBuilder.append(Integer.toString((bytes[i] & 0xff) + 0x100, 16).substring(1));
                }
                //Get complete hashed password in hex format
                generatedPassword = stringBuilder.toString();
            }
            catch (NoSuchAlgorithmException e1)
            {
                e1.printStackTrace();
            }
            System.out.println(generatedPassword);
     
            return generatedPassword;
        }

    (Password comparison.)
                    String fetchPassword = hashPassword(String.valueOf(passwordField.getPassword()));
     
                    if(fetchPassword.equals(masterPassword))
                    {
                        JOptionPane.showMessageDialog(null,"Master password used.");
                        masterPasswordUsed = true;
                        passwordChecksOut = true;
                        passwordDialog.dispose();
                    }

    Does it look like this could work or is there something I could have done better? =)

  10. #7
    Member andbin's Avatar
    Join Date
    Dec 2013
    Location
    Italy
    Posts
    443
    Thanks
    4
    Thanked 122 Times in 114 Posts

    Default Re: Using passwords the right way?

    Quote Originally Posted by Lora_91 View Post
    is there something I could have done better? =)
    Yes, somethings can be better:

    1) You have used getBytes() to get the byte[] from the String. However, getBytes() uses the "default" charset of the platform, that can vary from one O.S. to the other. So, depending on the O.S., you can get a different byte array from the same string. This is, in general, bad.
    For things like this, always impose a well known charset, for example UTF-8.

    passwordToHash.getBytes("UTF-8")

    This getBytes can throw UnsupportedEncodingException, which is a "checked" exception, if the charset is bad/unknown. But UTF-8 is always implemented in a Java Runtime (stated by official specifications), so you can catch UnsupportedEncodingException and throw an Error just to tell that there is a very strange and anomalous error.


    2) The:
    Integer.toString((bytes[i] & 0xff) + 0x100, 16).substring(1)

    is correct but is more a sort of "workaround". From Java 5 there is the formatting functionality:

    String.format("%02X", theByte)


    3) You have used:
    String.valueOf(passwordField.getPassword())

    It's technically ok, but the reason to use getPassword() is to have a char[] that you can fill to clear the password. If you create a String, its content is a new char array that you can't reach directly, so the password "floats" somewhere in memory and possibly on a disk swap.

    You should obtain a byte[] from the char[] in a specified charset. There's nothing "direct" to do this (at least not in the Java SE framework), you can do this using different approaches that make use of one or more specific classes, e.g. OutputStreamWriter + ByteArrayOutputStream or directly with a java.nio.charset.Charset.

    Note: this is more a security issue than other.
    Andrea, www.andbin.netSCJP 5 (91%) – SCWCD 5 (94%)

    Useful links for Java beginnersMy new project Java Examples on Google Code

  11. The Following User Says Thank You to andbin For This Useful Post:

    Lora_91 (January 23rd, 2014)

  12. #8
    Member
    Join Date
    Oct 2013
    Posts
    78
    Thanks
    55
    Thanked 0 Times in 0 Posts

    Default Re: Using passwords the right way?

    Quote Originally Posted by andbin View Post
    3) You have used:
    String.valueOf(passwordField.getPassword())

    It's technically ok, but the reason to use getPassword() is to have a char[] that you can fill to clear the password. If you create a String, its content is a new char array that you can't reach directly, so the password "floats" somewhere in memory and possibly on a disk swap.

    You should obtain a byte[] from the char[] in a specified charset. There's nothing "direct" to do this (at least not in the Java SE framework), you can do this using different approaches that make use of one or more specific classes, e.g. OutputStreamWriter + ByteArrayOutputStream or directly with a java.nio.charset.Charset.

    Note: this is more a security issue than other.
    I'm not sure I quite understand what you mean.

    I tried switching all of the String variables to char[]:


        char[] masterPassword = new char[]{'p',
        						 'a',
        						 's',
        						 's',
        						 'w',
        						 'o',
        						 'r',
        						 'd'};


      char[] fetchPassword = null;
    				try {
    					fetchPassword = hashPassword(passwordField.getPassword());
    				} catch (UnsupportedEncodingException e1) {
    					e1.printStackTrace();
    				}
     
                    if(fetchPassword.equals(masterPassword))
                    {
                    	JOptionPane.showMessageDialog(null,"Master password used.");
                        masterPasswordUsed = true;
                        passwordChecksOut = true;
                        passwordDialog.dispose();
                    }

       public char[] hashPassword(char[] incomingPassword) throws UnsupportedEncodingException
        {
            char[] passwordToHash = incomingPassword;
            char[] generatedPassword = new char[90];
            try {
                // Create MessageDigest instance for MD5
                MessageDigest messageDigest = MessageDigest.getInstance("MD5");
                //Add password bytes to digest
                messageDigest.update((byte) passwordToHash.length);
                //Get the hash's bytes
                byte[] bytes = messageDigest.digest();
                //This bytes[] has bytes in decimal format;
                //Convert it to hexadecimal format
                StringBuilder stringBuilder = new StringBuilder();
                for(int i=0; i< bytes.length ;i++)
                {
                    stringBuilder.append(Integer.toString((bytes[i] & 0xff) + 0x100, 16).substring(1));
                }
                //Get complete hashed password in hex format
                for(int i = 0; i < stringBuilder.length(); i++)
                {
                    generatedPassword[i] = stringBuilder.charAt(i);
     
                }
            }
            catch (NoSuchAlgorithmException e1)
            {
                e1.printStackTrace();
            }
            System.out.println(generatedPassword);
     
            return generatedPassword;
        }

    But it doesn't seem to be working, probably because I don't quite understand what you mean by getting a byte[] from the char[]. =/

  13. #9
    Member andbin's Avatar
    Join Date
    Dec 2013
    Location
    Italy
    Posts
    443
    Thanks
    4
    Thanked 122 Times in 114 Posts

    Default Re: Using passwords the right way?

    Quote Originally Posted by Lora_91 View Post
    But it doesn't seem to be working, probably because I don't quite understand what you mean by getting a byte[] from the char[]. =/
    char[] charArray = ........
     
    Charset utf8 = Charset.forName("UTF-8");
    ByteBuffer byteBuffer = utf8.encode(CharBuffer.wrap(charArray));

    And note that MessageDigest has a void update(ByteBuffer input)

    After the use you can (and should if security is an issue) zero-fill the ByteBuffer but you need to know a bit about how ByteBuffer works.

    (Charset is in java.nio.charset and ByteBuffer is in java.nio)
    Andrea, www.andbin.netSCJP 5 (91%) – SCWCD 5 (94%)

    Useful links for Java beginnersMy new project Java Examples on Google Code

  14. The Following User Says Thank You to andbin For This Useful Post:

    Lora_91 (January 23rd, 2014)

  15. #10
    Member
    Join Date
    Oct 2013
    Posts
    78
    Thanks
    55
    Thanked 0 Times in 0 Posts

    Default Re: Using passwords the right way?

    So should the hashPassword method use char[], byte[] or String? Should there even be any String variables involved with the passwords at all, or do all of them risk leaking out?

    I'm really confused as to how to go about this. =/

  16. #11
    Member andbin's Avatar
    Join Date
    Dec 2013
    Location
    Italy
    Posts
    443
    Thanks
    4
    Thanked 122 Times in 114 Posts

    Default Re: Using passwords the right way?

    Quote Originally Posted by Lora_91 View Post
    So should the hashPassword method use char[], byte[] or String? Should there even be any String variables involved with the passwords at all, or do all of them risk leaking out?.
    Every String object contains a char[] that is not shared nor directly accessible (since strings are "immutable"). So a password in a String cannot be cleared.
    Any array and also a ByteBuffer can be easily cleared/filled (for arrays it's sufficient the fill method of java.util.Arrays).

    In your code the hashPassword(char[] incomingPassword), receiving a char[], is fine and appropriate.
    Andrea, www.andbin.netSCJP 5 (91%) – SCWCD 5 (94%)

    Useful links for Java beginnersMy new project Java Examples on Google Code

  17. The Following User Says Thank You to andbin For This Useful Post:

    Lora_91 (January 23rd, 2014)

  18. #12
    Member
    Join Date
    Oct 2013
    Posts
    78
    Thanks
    55
    Thanked 0 Times in 0 Posts

    Default Re: Using passwords the right way?

       public char[] hashPassword(char[] incomingPassword) throws UnsupportedEncodingException
        {
            char[] passwordToHash = incomingPassword;
            char[] generatedPassword;
            try {
                MessageDigest messageDigest = MessageDigest.getInstance("MD5");
     
                messageDigest.update((byte) passwordToHash.length);
     
                byte[] bytes = messageDigest.digest();
     
                StringBuilder stringBuilder = new StringBuilder();
     
                generatedPassword = new char[bytes.length];
                for(int i=0; i< bytes.length ;i++)
                {
                	generatedPassword[i] = (char) bytes[i];
                    //stringBuilder.append(Integer.toString((bytes[i] & 0xff) + 0x100, 16).substring(1));
                }
                System.out.println(generatedPassword);
     
                return generatedPassword;
            }
            catch (NoSuchAlgorithmException e1)
            {
                e1.printStackTrace();
            }
            return null;
     
        }

    Tried to edit the password hashing method to work with a char[], unfortunately I don't seem to be able to get it right. The generated password appears to end up completely random: "U?@????!", "&)??A". Also not sure whether or not I should be using the StringBuilder since it creates a String which is exactly what we're trying to avoid?

  19. #13
    Member andbin's Avatar
    Join Date
    Dec 2013
    Location
    Italy
    Posts
    443
    Thanks
    4
    Thanked 122 Times in 114 Posts

    Default Re: Using passwords the right way?

    Quote Originally Posted by Lora_91 View Post
    Tried to edit the password hashing method to work with a char[], unfortunately I don't seem to be able to get it right.
    In my answer #9 I have (I hope) clearly explained how to obtain a ByteBuffer (perfectly suitable for MessageDigest) from a char[].
    What's the difficulty?
    Andrea, www.andbin.netSCJP 5 (91%) – SCWCD 5 (94%)

    Useful links for Java beginnersMy new project Java Examples on Google Code

  20. The Following User Says Thank You to andbin For This Useful Post:

    Lora_91 (January 23rd, 2014)

  21. #14
    Member
    Join Date
    Oct 2013
    Posts
    78
    Thanks
    55
    Thanked 0 Times in 0 Posts

    Default Re: Using passwords the right way?

    The difficulty is that I don't quite understand how to use the code you suggested, I tried to read up on ByteBuffers but it didn't really give me much. =/

       public char[] hashPassword(char[] incomingPassword) throws UnsupportedEncodingException
        {
            char[] passwordToHash = incomingPassword;
            char[] generatedPassword = null;
            try {
                MessageDigest messageDigest = MessageDigest.getInstance("MD5");
     
                messageDigest.update((byte) passwordToHash.length);
     
                byte[] bytes = messageDigest.digest();
     
     
                Charset utf8 = Charset.forName("UTF-8");
                ByteBuffer byteBuffer = utf8.encode(CharBuffer.wrap(?));
     
     
     
                generatedPassword = new char[bytes.length];
                for(int i=0; i< bytes.length ;i++)
                {
                	generatedPassword[i] = (char) bytes[i];
                    //stringBuilder.append(Integer.toString((bytes[i] & 0xff) + 0x100, 16).substring(1));
                }
                System.out.println(generatedPassword);
     
                return generatedPassword;
            }
            catch (NoSuchAlgorithmException e1)
            {
                e1.printStackTrace();
            }
            return null;
     
        }

    The byteBuffer won't take a byte[] variable but wants a char[], but the generatedPassword doesn't have a value yet and I'm not even sure how to give it one without making use of the stringBuilder.

  22. #15
    Member andbin's Avatar
    Join Date
    Dec 2013
    Location
    Italy
    Posts
    443
    Thanks
    4
    Thanked 122 Times in 114 Posts

    Default Re: Using passwords the right way?

    Quote Originally Posted by Lora_91 View Post
    The difficulty is that I don't quite understand how to use the code you suggested
    Reread my answer #9, please.
    1) You start with a char[] (the password in clear).
    2) Create a Charset for UTF-8.
    3) Encode the characters sequence in a ByteBuffer.
    4) MessageDigest has an update method that can receive the ByteBuffer, invoke update with that ByteBuffer (there's no return value, it's void).
    5) Invoke digest() on MessageDigest to get the byte[] that is the MD5.
    Andrea, www.andbin.netSCJP 5 (91%) – SCWCD 5 (94%)

    Useful links for Java beginnersMy new project Java Examples on Google Code

  23. The Following User Says Thank You to andbin For This Useful Post:

    Lora_91 (January 23rd, 2014)

  24. #16
    Member
    Join Date
    Oct 2013
    Posts
    78
    Thanks
    55
    Thanked 0 Times in 0 Posts

    Default Re: Using passwords the right way?

    Alright, so it should look like this?

    char[] passwordToHash = incomingPassword;
    char[] generatedPassword = null;
            try {
                Charset utf8 = Charset.forName("UTF-8");
                ByteBuffer byteBuffer = utf8.encode(CharBuffer.wrap(passwordToHash));
     
                MessageDigest messageDigest = MessageDigest.getInstance("MD5");
     
                messageDigest.update(byteBuffer);
     
                byte[] bytes = messageDigest.digest();
     
                generatedPassword = bytes;
                //generatedPassword = bytes;
                System.out.println(bytes);
                om 
                return null;
    For the most part anyway, but now we are left with a bytes variable which holds the password, when we were supposed to return a char, so should I try and convert it from byte to char?

  25. #17
    Member andbin's Avatar
    Join Date
    Dec 2013
    Location
    Italy
    Posts
    443
    Thanks
    4
    Thanked 122 Times in 114 Posts

    Default Re: Using passwords the right way?

    Quote Originally Posted by Lora_91 View Post
    Alright, so it should look like this?
    Yes, now your code has sense! But if you arrived at this solution (more complex than using String for the clear password), it's supposed because you care much about security. Thus after the use you should:
    - fill to clear the char[] for the initial password.
    - fill to clear the ByteBuffer.
    - (eventually) fill to clear the byte[] of the digest.

    Quote Originally Posted by Lora_91 View Post
    but now we are left with a bytes variable which holds the password
    The byte[] bytes contains the hash of the password.

    Quote Originally Posted by Lora_91 View Post
    when we were supposed to return a char, so should I try and convert it from byte to char?
    If you want a "user-readable" hash, typically in hexadecimal format, you have already done this! See your answer #6 and also my answer #7 (point 2) )

    Sorry, it seems you are a bit confused and not able to put pieces together ..... take a big breathe, reread those answers and you will arrive at the final result.
    Andrea, www.andbin.netSCJP 5 (91%) – SCWCD 5 (94%)

    Useful links for Java beginnersMy new project Java Examples on Google Code

  26. The Following User Says Thank You to andbin For This Useful Post:

    Lora_91 (January 23rd, 2014)

  27. #18
    Member
    Join Date
    Oct 2013
    Posts
    78
    Thanks
    55
    Thanked 0 Times in 0 Posts

    Default Re: Using passwords the right way?

    So if bytes is the hash, then that's what we use to compare the passwords, correct? And then bytes is the data we wish to return:

       public byte[] hashPassword(char[] incomingPassword) throws UnsupportedEncodingException
        {
            char[] passwordToHash = incomingPassword;
            try {
            	Charset utf8 = Charset.forName("UTF-8");
            	ByteBuffer byteBuffer = utf8.encode(CharBuffer.wrap(passwordToHash));
     
            	MessageDigest messageDigest = MessageDigest.getInstance("MD5");
     
                messageDigest.update(byteBuffer);
     
                byte[] bytes = messageDigest.digest();
     
                return bytes;
            }
            catch (NoSuchAlgorithmException e1)
            {
                e1.printStackTrace();
            }
            return null;
        }

    Comparing entered password to stored password:

            if(e.getSource() == passwordConfirmButton)
            {
                    boolean masterPasswordUsed = false;
                    byte[] fetchPassword = null;
    		try {
    			fetchPassword = hashPassword(passwordField.getPassword());
     
                    	JOptionPane.showMessageDialog(null, "Checking if they match.");
    			if(fetchPassword.equals(hashPassword(masterPassword)))
    			{
    			    JOptionPane.showMessageDialog(null,"Master password used.");
    			    masterPasswordUsed = true;
    			    passwordChecksOut = true;
    			    passwordDialog.dispose();
    			}else
    			{
    			    JOptionPane.showMessageDialog(null, "They did not...");
    			    JOptionPane.showMessageDialog(null, "Masterpassword is: " + String.valueOf(masterPassword));
    			    JOptionPane.showMessageDialog(null, "Entered password is: " + passwordField.getText());
    			    JOptionPane.showMessageDialog(null, String.valueOf(fetchPassword) + " : " + String.valueOf(hashPassword(masterPassword)));
    			}
    		} catch (UnsupportedEncodingException e1) {
    		e1.printStackTrace();
    	}

    Unfortunately their hashed versions do not appear to turn out the same, even though the stored and entered text is exactly the same (which is what I'm checking with the JOptionPane's), so I must still be doing something wrong. =/

  28. #19
    Member andbin's Avatar
    Join Date
    Dec 2013
    Location
    Italy
    Posts
    443
    Thanks
    4
    Thanked 122 Times in 114 Posts

    Default Re: Using passwords the right way?

    Quote Originally Posted by Lora_91 View Post
    Unfortunately their hashed versions do not appear to turn out the same
    Because, again for arrays, they don't redefine the equals() method, so remains the equals() inherited from Object, that it is only based on object "identity", it compares only the references (not the content).
    Since you certainly have different byte[] objects, they are "different" (for Object.equals), even if they have the same length/content.
    Sorry but these are really really basic concepts ... that you should know.

    Possible options:
    1) use the public static boolean equals(byte[] a, byte[] a2) from java.util.Arrays, that does the "right" thing you expect.
    2) format the byte[] hash in, e.g. hexadecimal (as already mentioned), and compare the strings.
    3) do a for loop and compare each byte in the byte[] arrays.
    Andrea, www.andbin.netSCJP 5 (91%) – SCWCD 5 (94%)

    Useful links for Java beginnersMy new project Java Examples on Google Code

  29. The Following User Says Thank You to andbin For This Useful Post:

    Lora_91 (January 23rd, 2014)

  30. #20
    Member
    Join Date
    Oct 2013
    Posts
    78
    Thanks
    55
    Thanked 0 Times in 0 Posts

    Default Re: Using passwords the right way?

    Quote Originally Posted by andbin View Post
    Sorry but these are really really basic concepts ... that you should know.
    Sorry, really not used to working with byte[] or char[]...

    Quote Originally Posted by andbin View Post
    3) do a for loop and compare each byte in the byte[] arrays.
    This seems to have worked! =)

                    byte[] fetchPassword = null;
                    byte[] comparedPassword = null;
    		try {
    			fetchPassword = hashPassword(passwordField.getPassword());
    			comparedPassword = hashPassword(masterPassword);
                    	boolean keepRunning = true;
    			boolean passwordMatch = false;
    			int i = 0;
    			while(keepRunning == true)
    			{
    				if(i < fetchPassword.length)
    				{
    					if(fetchPassword[i] != comparedPassword[i])
    					{
    						keepRunning = false;
    					}
    				}else
    				{
    					if(keepRunning == true)
    					{
    						passwordMatch = true;
    						keepRunning = false;
    					}
    				}
     
    				i++;
    			}
     
    			if(passwordMatch == true)
    			{

    It accepts the correct password and declines an incorrect one. There shouldn't be any information floating around now should there?

  31. #21
    Member andbin's Avatar
    Join Date
    Dec 2013
    Location
    Italy
    Posts
    443
    Thanks
    4
    Thanked 122 Times in 114 Posts

    Default Re: Using passwords the right way?

    Quote Originally Posted by Lora_91 View Post
    This seems to have worked! =)
    To be honest, I left this option as the last ... because the use of Arrays.equals method is far a better way to do this!

    Quote Originally Posted by Lora_91 View Post
    There shouldn't be any information floating around now should there?
    You have to explicitly fill the arrays and ByteBuffer to "clear" all sensitive (the password) informations.
    Andrea, www.andbin.netSCJP 5 (91%) – SCWCD 5 (94%)

    Useful links for Java beginnersMy new project Java Examples on Google Code

  32. The Following User Says Thank You to andbin For This Useful Post:

    Lora_91 (January 23rd, 2014)

  33. #22
    Member
    Join Date
    Oct 2013
    Posts
    78
    Thanks
    55
    Thanked 0 Times in 0 Posts

    Default Re: Using passwords the right way?

    Quote Originally Posted by andbin View Post
    To be honest, I left this option as the last ... because the use of Arrays.equals method is far a better way to do this!
    Alright, that method seems to have worked out rather well too. =)



                    boolean masterPasswordUsed = false;
                    byte[] fetchPassword = null;
                    byte[] comparedPassword = null;
                    byte k = 0;
    		try {
    			fetchPassword = hashPassword(passwordField.getPassword());
    			comparedPassword = hashPassword(masterPassword);
     
     
    			if(java.util.Arrays.equals(fetchPassword, comparedPassword) == true)
    			{
    				JOptionPane.showMessageDialog(null,"Master password used.");
    			        masterPasswordUsed = true;
    				passwordChecksOut = true;
    				passwordDialog.dispose();
    			}
     
    			java.util.Arrays.fill(fetchPassword, k);
    			java.util.Arrays.fill(comparedPassword, k);

            char[] passwordToHash = incomingPassword;
            char[] generatedPassword = null;
            try {
            	Charset utf8 = Charset.forName("UTF-8");
            	ByteBuffer byteBuffer = utf8.encode(CharBuffer.wrap(passwordToHash));
     
            	MessageDigest messageDigest = MessageDigest.getInstance("MD5");
     
                    messageDigest.update(byteBuffer);
     
                    byte[] bytes = messageDigest.digest();
     
                   java.util.Arrays.fill(passwordToHash,'a');
                   byteBuffer.clear();
     
                   return bytes;

    Quote Originally Posted by andbin View Post
    You have to explicitly fill the arrays and ByteBuffer to "clear" all sensitive (the password) informations.
    Hope I did it correctly in the code above.

  34. #23
    Member andbin's Avatar
    Join Date
    Dec 2013
    Location
    Italy
    Posts
    443
    Thanks
    4
    Thanked 122 Times in 114 Posts

    Default Re: Using passwords the right way?

    Quote Originally Posted by Lora_91 View Post
                   byteBuffer.clear();
    From javadoc documentation of clear() in Buffer:

    "Clears this buffer. The position is set to zero, the limit is set to the capacity, and the mark is discarded.
    [....]
    This method does not actually erase the data in the buffer
    "
    Andrea, www.andbin.netSCJP 5 (91%) – SCWCD 5 (94%)

    Useful links for Java beginnersMy new project Java Examples on Google Code

  35. The Following User Says Thank You to andbin For This Useful Post:

    Lora_91 (January 23rd, 2014)

  36. #24
    Member
    Join Date
    Oct 2013
    Posts
    78
    Thanks
    55
    Thanked 0 Times in 0 Posts

    Default Re: Using passwords the right way?

    Quote Originally Posted by andbin View Post
    From javadoc documentation of clear() in Buffer:

    "Clears this buffer. The position is set to zero, the limit is set to the capacity, and the mark is discarded.
    [....]
    This method does not actually erase the data in the buffer
    "
    Sorry, couldn't find any other way to clear/fill it, reading up further on ByteBuffer didn't result in any answers either. =/

  37. #25
    Member andbin's Avatar
    Join Date
    Dec 2013
    Location
    Italy
    Posts
    443
    Thanks
    4
    Thanked 122 Times in 114 Posts

    Default Re: Using passwords the right way?

    Quote Originally Posted by Lora_91 View Post
    Sorry, couldn't find any other way to clear/fill it
    clear() plus an invocation of put(byte[]) passing a new byte[theCapacityOfByteBuffer] (that by itself has all zeros)
    Andrea, www.andbin.netSCJP 5 (91%) – SCWCD 5 (94%)

    Useful links for Java beginnersMy new project Java Examples on Google Code

  38. The Following User Says Thank You to andbin For This Useful Post:

    Lora_91 (January 23rd, 2014)

Page 1 of 2 12 LastLast

Similar Threads

  1. Setting up a SHA-256 hash for multiple passwords
    By Djinn in forum Java Theory & Questions
    Replies: 4
    Last Post: November 17th, 2013, 10:04 AM
  2. Need help with checking passwords
    By kb1213 in forum What's Wrong With My Code?
    Replies: 11
    Last Post: April 12th, 2011, 05:32 PM