Granny's Programming Pearls
"inside of every large program is a small program struggling to get out"
JavaRanch.com/granny.jsp
The moose likes Java in General and the fly likes Is it secure to turn hashed passwords into a string or the hash value should be ALWAYS kept as char? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » Java in General
Bookmark "Is it secure to turn hashed passwords into a string or the hash value should be ALWAYS kept as char?" Watch "Is it secure to turn hashed passwords into a string or the hash value should be ALWAYS kept as char?" New topic
Author

Is it secure to turn hashed passwords into a string or the hash value should be ALWAYS kept as char?

Alex Leite
Greenhorn

Joined: May 12, 2012
Posts: 3
I'm not completely sure if the way I'm reasoning when it comes to authentication is correct. Any thoughts/corrections/ideas on this would be appreciated.




The way I'm reasoning:
1 - I get the char[] array with getPassword.
2 - hash this pwd char[] array (well, technically not the array, but the string from pwd.toString() )
3 - set array to "zeros"
4 - then I turn the result from the hashing into a String
5 - finally I compare this string with other strings resulted from other hashing using .equals()

From what I've learned you should keep passwords as char[] arrays instead of strings, that's why getPassword instead of getText. But then I was thinking, if you need to store this password in a database, eventually you will need to get a hash value from this char array and turn this hash value into a String so you can store it in the database, right? If not, how would I safely write a char array to the database in the Password column?

Questions:

But I'm not completely sure if a password should ALWAYS be kept as a char[] array, even after hashing it, or if it's fine to use a String once its been hashed?

Also, in the line md.update(pwd.toString().getBytes()); I'm technically getting the "plain text password" as a string, right? But since I'm not assigning it to any variable, this plain text password is not getting stored as a string anywhere in memory at all, therefore not defeating the purpose of using getPassword instead of getText, correct? (Please, correct me if this reasoning is wrong!)

In short, am I doing anything wrong security-wise or this is the way to go?

ps: I know I shouldn't be using MD5! This is just an assignment, though ;)
Jeff Verdegan
Bartender

Joined: Jan 03, 2004
Posts: 6109
    
    6

Alex Leite wrote:
The way I'm reasoning:
1 - I get the char[] array with getPassword.
2 - hash this pwd char[] array (well, technically not the array, but the string from pwd.toString() )


That won't get you what you want. It will give something like [C@45bab50a, which has no relation to the characters in the array. You'd need to use Arrays.toString(pwd) or new String(pwd).
But you shouldn't be turning the array into a String anyway. Just hash the characters.

From what I've learned you should keep passwords as char[] arrays instead of strings, that's why getPassword instead of getText. But then I was thinking, if you need to store this password in a database, eventually you will need to get a hash value from this char array and turn this hash value into a String so you can store it in the database, right? If not, how would I safely write a char array to the database in the Password column?


You don't store the password in the DB. You store the hash value. And it's safe to have the hash value present as a String.
Alex Leite
Greenhorn

Joined: May 12, 2012
Posts: 3
"That won't get you what you want. It will give something like [C@45bab50a, which has no relation to the characters in the array. You'd need to use Arrays.toString(pwd) or new String(pwd). "

Thanks for catching that one for me.

And thanks for the reply. Your answer was exactly what I was after.
Jeff Verdegan
Bartender

Joined: Jan 03, 2004
Posts: 6109
    
    6

You're welcome!
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Is it secure to turn hashed passwords into a string or the hash value should be ALWAYS kept as char?
 
Similar Threads
Double Hashing - hashing SHA1 with MD5
encrypt password on login form?
How to insert password in an encrypted form into a table
generate Unique key
Call a javascript function from Java