So, I've done some digging on Java password hashing and basically found that the usual algorithms like MD5 (not using this one anyways), SHA1, and SHA-256 are not so secure because they are too fast. I've seen a good amount of support towards external implementations like BCrypt.
I really like the idea of using BCrypt, but it sort of defeats the purpose. Most of us probably know by now that the char[] getPassword() method of JPasswordField is more secure because it prevents the String that is returned by getText() from being tossed into the JVM string pool, which could be exposed if the system was under a memory attack.
But the BCrypt implementation for Java (and probably other platforms too) uses Strings, which defeats the entire purpose of using a char[].
So, does anyone have a recommended workaround for this issue besides redoing the original BCrypt code myself? I am not a security expert and I would rather not mess with an encryption algorithm with which I am not familiar.
Or, is using Strings with BCrypt okay, because the odds of such an attack are relatively minimal to begin with?
Or, is there another recommended library similar to BCrypt that provides support for char arrays? I'm open to suggestions.
The program I am writing will have to communicate with a database on a remote machine, so the passwords will have to be sent over the network.
You can use Password4j like this:
You can find more info about
SecureStrings here.