0

From what I understand, the best practice to store an encoded password (in java) is in a byte array and the password itself in a char array.

I'm using Spring security to develop an authentication system for my app. They provide a password encoder bean such as:

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

Which when I encode a password with it, it returns a String instead of byte array as suggested.

The question is, should I use this password encoder provided by Spring, or should I make an encoder service using pure java library such as here: https://stackoverflow.com/a/18143616/9942602 ?

Hanif
  • 63
  • 5
  • You will probably write the encoded password to a persistent storage as a string sooner or later anyway? So why not use spring that is maintained instead of your own class that you will need to maintain yourself? – Niclas Lindgren Jul 11 '20 at 07:43
  • @niclaslindgren I will store the password in MySQL, with varbinary data type, and if possible not to convert it into String data type, since it will be immutable. – Hanif Jul 11 '20 at 09:31
  • @KavithakaranKanapathippillai I read somewhere that if we store the password in an array, we could wipe it completely from memory. Unlike String where it is immutable, and we need to call garbage collector to do the job. As for why it is byte, maybe because the salt/encoding protocol requires it to be a byte? I'm not exacly sure – Hanif Jul 11 '20 at 09:33
  • @Hanif it still shouldn't matter though as long as you only save the encoded password. Even if they retrieve that they cannot use the encoded password for anything as long as you use password encoder to match all inputs. – Niclas Lindgren Jul 11 '20 at 11:26

0 Answers0