Working with JPasswordField and its getText/getPassword method

Question

Hello everybody I am working on the first piece of communication between server and client of my game. Obviously due to the fact that I am starting from zero, I am projecting each part of the program carefully.

I was looking in Swing API and I found the JPasswordField that is a normal InputField, but for passwords.

It returns as you know a string if the deprecated method getText() is called or an array of chars if is called getPassword.

Reading in SO I understood that is not a good idea to use getText, nor something like

String password = String.valueOf(passwordField.getPassword());

because doing so I am creating a String that can stay in memory for long time.

What I tried to create is something that can convert that password without using strings and I created this:

public static String digest(char[] in) throws NoSuchAlgorithmException {

    MessageDigest md = MessageDigest.getInstance("SHA-256");

    ArrayList<Byte> list = new ArrayList<Byte>();
    for(int i = 0; i<in.length; i++){
        String ch = String.valueOf(in[i]);
        byte[] b = ch.getBytes();
        for(int j = 0; j<b.length;j++){
            list.add(b[j]);
        }
    }
    byte[] inputInByte = new byte[list.size()];
    for(int i =0;i<list.size();i++){
        inputInByte[i] = list.get(i);
    }
    md.update(inputInByte);

    byte byteData[] = md.digest();

    StringBuffer hexString = new StringBuffer();
    for (int i = 0; i < byteData.length; i++) {
        String hex = Integer.toHexString(0xff & byteData[i]);
        if (hex.length() == 1) {
            hexString.append('0');
        }
        hexString.append(hex);
    }
    return hexString.toString();
}

The question is: is this algorithm correct and good for the security of the password? I had to use a String to convert from char to byte.

Also I return an hashed string, is there any problem in that? It should be quite difficult to find the password starting from the hash ;)

How about database connection? Hsqldb allow me to create query, but each query is a string......

Answer 1

I think your code is quite ok, but you are still working with String to create the byte value, so you maybe better change String.valueOf(in[i]); to something like this:

public static String digest(char[] in) throws NoSuchAlgorithmException {

    MessageDigest md = MessageDigest.getInstance("SHA-256");

    ArrayList<Byte> list = new ArrayList<Byte>();
    for(int i = 0; i<in.length; i++){
        byte b = (byte) in[i]
        list.add(b);
    }
    byte[] inputInByte = new byte[list.size()];
    for(int i =0;i<list.size();i++){
        inputInByte[i] = list.get(i);
    }
    md.update(inputInByte);

    byte byteData[] = md.digest();

    StringBuffer hexString = new StringBuffer();
    for (int i = 0; i < byteData.length; i++) {
        String hex = Integer.toHexString(0xff & byteData[i]);
        if (hex.length() == 1) {
            hexString.append('0');
        }
        hexString.append(hex);
    }
    return hexString.toString();
}

that is also easier than using that for cycle and two step conversion to byte.

Answer 2

Using SHA-256 digest is a hash method, not a cryptologic one. It is like a fingerprint. Can you get a person from his fingerprints without testing everybody's (6 billions) fingerprint ? No. It used to store password in databases in php, for example. We just store the pass's hash, and when the user want to connect, we compute the newly entered password hash, and compare it with the database's hash. This prevents users from stealing passwords if the database is hacked. But you cannot get the password from the hash. I hope i answered to your question. By the way, consider using apache lib for message digest, it is easier and more safe i think