How do i retrieve a char array from a ResultSet?

Question

I'm trying to create a login window for my application, And looking over the web i found out that JPasswordField.getText() is deprecated because that by using that method it inserts the password string into the String pool and that's not cool apparently. So i wanna use the JPasswordField.getPassword() instead which returns an array of char. Now to my problem. My password is located in a table in a database , So by doing rs.getString() im actually still putting my password into the String pool, Is there any way to retrieve an array of char from the resultSet , Or what would be a better idea to use in order to retrieve the real password so i could compare them?

-Thanks.

Answer 1

In your database you should store two things for each username: a salt and a hash.

The salt should be a randomly generated string of junk that you append to the password the user enters. The hash should be the hash (sha256 or stronger is preferred - do NOT use MD5!) of the password with appended salt.

Example:

salt: dbIL%#JBD"ncON$SOcl)=?NJ!A
pass: helloworld123
string to hash: helloworld123dbIL%#JBD"ncON$SOcl)=?NJ!A
sha256 hash of the above string: 0bf4e6a0d9fb5c7f1f6becb107af068684b6373ed1489663c335bb87280403d9

When you then want to check if the user entered the correct password, get the salt from the database, hash the entered password with the salt appended (as shown in the example) and compare this hash to the stored hash in the database. If they match, the user entered the right password.

Answer 2

I would store the salted, hashed passwords in the database, and not worry that I put the hashed password into String pool. Compare the hashes.