Using getPassword() method and BCrypt

Question

I'm in the process of completing a login GUI and have been using BCrypt to encrypt a String password. After reading about deprecation warnings, where the getText() method is not recommended for security reasons, I decided to to use getPassword() instead. However, as you are probably aware, it returns the password as a char[] array. How would I pass a char[] array into BCrypt without compromising security by converting the password into a String, which is accessible in memory?

Here is the BCrypt class: org.mindrot.jbcrypt.BCrypt

What stops you from changing the signature of `hashpw()` and revising the code accordingly? — trashgod, Jun 12 '13 at 01:31

score 0 · Answer 1 · answered Mar 24 '20 at 13:16

You can use Password4j like this:

char[] password = passwordField.getPassword();
SecureString secure = new SecureString(password);

Password4j.hash(secure).withBCrypt();
// Clear the SecureString object
secure.clear();

You can find more info about SecureStrings here.

Using getPassword() method and BCrypt

1 Answers1