Where is the password?

Luke Stephens (lstephen@ivisoft.com)
Fri, 23 Oct 1998 15:49:54 -0400

I have a very simple question. In all of the java.security and
java.cryptography work that has been done, who forgot about a simple
thing like a password class/object? In fact, why is there absolutely no
secure support for creating a character based password? I make this
statement based on the facts:

1. Capturing a password as a string is insecure (note that the swing
JPasswordField has recognized this).

2. ALL OF THE CRYPTOGRAPHY INTERFACES REQUIRE BYTE[].

3. There is no way to accurately convert a character[] to a byte[]
without converting to a String first.

What I tried to do to create a "password" was to capture the character
input via a JPasswordField. Then I wanted to utilize a hash algorithm
(MD5 or SHA) to hash the char[] array to a value. Then (and I had to
write this) convert the output of the hash to character based output (by
the way, why is there not a toString method on MessageDigest that
returns the value of the digest as a String?).

Luke Stephens
lstephen@ivisoft.com