Getting different hash values of the same password (+ salt)

Question

I was trying to get a hashed password following the code in here. From it, i'm only using, at the moment, the code for the salt method, the hash method and isExpectedPassword method.

I get my password from a text field:

char[] passCharArray = txtPassword.toString().toCharArray();

Then I call the class to get a salt value (I call it Encryptor instead of Passwords like in the original post):

byte[] salt = Encryptor.getNextSalt();

And then I get the hashed password:

byte[] hashedPass = Encryptor.hash(passCharArray, salt);

Using the following code I print the results to see what's going on and the results are commented:

String saltString = Arrays.toString(salt);
System.out.println("SALT: " + saltString);
//SALT: [18, 117, -98, 41, 92, 124, 118, 17, 107, 14, 0, -81, 110, 70, 10, 42]

String hashedPassString = Arrays.toString(hashedPass);
System.out.println("HASHED PASS: " + hashedPassString);
//HASHED PASS: [44, -127, -43, 84, 40, -16, -46, -71, 109, -44, -41, 47, -61, -119, 21, 99, -23, 101, -13, 116, -12, 118, -66, 44, 104, 5, 4, 18, -55, 47, 59, 116]

System.out.println("Passwords match: " + Encryptor.isExpectedPassword(passCharArray, salt, hashedPass));
//Passwords match: false

The below two are the System.out.prints I put in the isExpectedPassword method to see what values that one has upon being called.

//Encryptor pwdHash: [-103, -87, 53, -75, 59, 11, 77, 116, 123, 59, 68, -35, 16, -68, 42, 34, -32, 75, 22, -94, -37, -26, 16, 20, 7, -46, -6, -20, -88, 104, -121, 77]
//Encryptor expectedHash: [44, -127, -43, 84, 40, -16, -46, -71, 109, -44, -41, 47, -61, -119, 21, 99, -23, 101, -13, 116, -12, 118, -66, 44, 104, 5, 4, 18, -55, 47, 59, 116]

So basically, hashedPass (and expectedHash) should be the same as pwdHash, but it's not. I don't understand what I'm doing wrong. Am I missing something in my code? Does something change without my knowledge?

This is my full code, if people want to see the whole thing just in case:

public class Encryptor {

    private static final Random RANDOM = new SecureRandom();
    private static final int ITERATIONS = 10000;
    private static final int KEY_LENGTH = 256;

    private Encryptor(){}

    public static byte[] getNextSalt(){
        byte[] salt = new byte[16];
        RANDOM.nextBytes(salt);
        return salt;
    }

    public static byte[] hash(char[] password, byte[] salt) {
        PBEKeySpec spec = new PBEKeySpec(password, salt, ITERATIONS, KEY_LENGTH);
        Arrays.fill(password, Character.MIN_VALUE);
        try {
            SecretKeyFactory skf = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
            return skf.generateSecret(spec).getEncoded();
        } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
            throw new AssertionError("Error while hashing a password: " + e.getMessage(), e);
        } finally {
            spec.clearPassword();
        }
    }

    public static boolean isExpectedPassword(char[] password, byte[] salt, byte[] expectedHash) {
        byte[] pwdHash = hash(password, salt);

        String s = Arrays.toString(pwdHash);
        System.out.println("Encryptor pwdHash: " + s);

        String s2 = Arrays.toString(expectedHash);
        System.out.println("Encryptor expectedHash: " + s2);

        Arrays.fill(password, Character.MIN_VALUE);
        if (pwdHash.length != expectedHash.length) return false;
        for (int i = 0; i < pwdHash.length; i++) {
            if (pwdHash[i] != expectedHash[i]) return false;
        }
        return true;
    }


}


public class Controller implements Initializable {
    @FXML
    private Button btnLogin;
    //Some private variables

    @FXML
    private AnchorPane ancPane;
    @FXML
    private ImageView imgLogo;
    @FXML
    private Hyperlink hplRegister;
    @FXML
    private TextField txtUsername;
    @FXML
    private TextField txtPassword;

    @Override
    public void initialize(URL url, ResourceBundle resourceBundle) {
        //Some styling

        hplRegister.setOnAction(event -> {
            //Registering event
        });

        btnLogin.setOnAction(event -> {
            try {

                //Loading fxml data
                // I've put the code here just for testing purposes
                // and will not be the final placement.

                char[] passCharArray = txtPassword.toString().toCharArray();

                byte[] salt = Encryptor.getNextSalt();
                byte[] hashedPass = Encryptor.hash(passCharArray, salt);

                String saltString = Arrays.toString(salt);
                System.out.println("SALT: " + saltString);

                String hashedPassString = Arrays.toString(hashedPass);
                System.out.println("HASHED PASS: " + hashedPassString);

                System.out.println("Passwords match: " + Encryptor.isExpectedPassword(passCharArray, salt, hashedPass));

            }catch (Exception e){
                e.printStackTrace();
            }
        });
    }

    //Some getter methods.
}

Answer 1

The problem is you are wiping out password. when you hash the password you wipe out the char array fill it with blanks this clears passCharArray. When you pass it the second time it's basically checking the hash of the password versus the hash of a blank array. and those definitely do not match.

In a real case you will get salt and hashed password from a db or some other source. The incoming version will not be hashed, and thus cleared, until passed to isExpectedPassword