Search code examples
javaswingjpasswordfieldgetpasswd

Working with JPasswordField and its getText/getPassword method

Hello everybody I am working on the first piece of communication between server and client of my game. Obviously due to the fact that I am starting from zero, I am projecting each part of the program carefully.

I was looking in Swing API and I found the JPasswordField that is a normal InputField, but for passwords.

It returns as you know a string if the deprecated method getText() is called or an array of chars if is called getPassword.

Reading in SO I understood that is not a good idea to use getText, nor something like

String password = String.valueOf(passwordField.getPassword());

because doing so I am creating a String that can stay in memory for long time.

What I tried to create is something that can convert that password without using strings and I created this:

public static String digest(char[] in) throws NoSuchAlgorithmException {

    MessageDigest md = MessageDigest.getInstance("SHA-256");

    ArrayList<Byte> list = new ArrayList<Byte>();
    for(int i = 0; i<in.length; i++){
        String ch = String.valueOf(in[i]);
        byte[] b = ch.getBytes();
        for(int j = 0; j<b.length;j++){
            list.add(b[j]);
        }
    }
    byte[] inputInByte = new byte[list.size()];
    for(int i =0;i<list.size();i++){
        inputInByte[i] = list.get(i);
    }
    md.update(inputInByte);

    byte byteData[] = md.digest();

    StringBuffer hexString = new StringBuffer();
    for (int i = 0; i < byteData.length; i++) {
        String hex = Integer.toHexString(0xff & byteData[i]);
        if (hex.length() == 1) {
            hexString.append('0');
        }
        hexString.append(hex);
    }
    return hexString.toString();
}

The question is: is this algorithm correct and good for the security of the password? I had to use a String to convert from char to byte.

Also I return an hashed string, is there any problem in that? It should be quite difficult to find the password starting from the hash ;)

How about database connection? Hsqldb allow me to create query, but each query is a string......

Solution

  • I think your code is quite ok, but you are still working with String to create the byte value, so you maybe better change String.valueOf(in[i]); to something like this:

    public static String digest(char[] in) throws NoSuchAlgorithmException {

    MessageDigest md = MessageDigest.getInstance("SHA-256");

    ArrayList<Byte> list = new ArrayList<Byte>();
    for(int i = 0; i<in.length; i++){
        byte b = (byte) in[i]
        list.add(b);
    }
    byte[] inputInByte = new byte[list.size()];
    for(int i =0;i<list.size();i++){
        inputInByte[i] = list.get(i);
    }
    md.update(inputInByte);

    byte byteData[] = md.digest();

    StringBuffer hexString = new StringBuffer();
    for (int i = 0; i < byteData.length; i++) {
        String hex = Integer.toHexString(0xff & byteData[i]);
        if (hex.length() == 1) {
            hexString.append('0');
        }
        hexString.append(hex);
    }
    return hexString.toString();
}

    that is also easier than using that for cycle and two step conversion to byte.