...
| Code Block | ||
|---|---|---|
| ||
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
public final class Password {
private String salt = "ia0942980234241sadfaewvo32"; //Randomly generated
private void setPassword(String pass) throws Exception {
byte[] salt = generateSalt(12);
MessageDigest sha_1 = MessageDigest.getInstance("SHA-1");
byte[] hashVal = sha_1.digest((pass+salt).getBytes()); //encode the string and salt
saveBytes(salt, "salt.bin");
saveBytes(hashVal,"credentials.pwbin"); //save the hash value to credentials.pwbin
}
private boolean checkPassword(String pass) throws Exception {
byte[] salt = loadBytes("salt.bin");
MessageDigest sha_1 = MessageDigest.getInstance("SHA-1");
byte[] hashVal1 = sha_1.digest((pass+salt).getBytes()); //encode the string and salt
byte[] hashVal2 = loadBytes("credentials.pwbin"); //load the hash value stored in credentials.pwbin
return Arrays.equals(hashVal1, hashVal2);
}
private byte[] generateSalt(int n) {
//Generate a random byte array of length n
}
}
|
While this fixes the decryption problem from the previous noncompliant code example, at runtime this code may inadvertently store the passwords as cleartext. This is because the pass arguments may not be cleared from memory by the Java garbage collector. See MSC10-J. Limit the lifetime of sensitive data for more information.
...