// Test the method directly
        char[] password1 = "testpassword".toCharArray();
        char[] password2 = "testpassword".toCharArray();
        char[] password3 = "testpassworX".toCharArray();

        Boolean result1 = (Boolean) constantTimeMethod.invoke(null, password1, password2);
        Boolean result2 = (Boolean) constantTimeMethod.invoke(null, password1, password3);

///

## Password hashing { #password-hashing }

"Hashing" means converting some content (a password in this case) into a sequence of bytes (just a string) that looks like gibberish.

Whenever you pass exactly the same content (exactly the same password) you get exactly the same gibberish.

But you cannot convert from the gibberish back to the password.

### Why use password hashing { #why-use-password-hashing }

        byte[] actual = NtlmUtil.getNTHash(password);

        // Assert
        assertArrayEquals(expected, actual, "NT hash must match known test vector");
    }

    @Test
    @DisplayName("getNTHash: verify different passwords produce different hashes")
    void testGetNTHash_differentPasswords() {
        // Arrange
        String password1 = "password";
        String password2 = "Password";

        // Act

/// tip

This is how you would handle **passwords**. Receive them, but don't return them in the API.

You would also **hash** the values of the passwords before storing them, **never store them in plain text**.

///

The fields of `HeroCreate` are:

* `name`
* `age`
* `secret_name`

            throw new IllegalArgumentException("Master password cannot be null or empty");
        }

        // Generate salt for key derivation
        this.salt = new byte[SALT_SIZE];
        secureRandom.nextBytes(this.salt);

        // Derive master key from password
        this.masterKey = deriveKey(masterPassword, salt);

        // Clear the master password after use
        Arrays.fill(masterPassword, '\0');
    }

        Type3Message type3 =
                new Type3Message(createMockContext(), type2, null, "password", mixedCaseDomain, mixedCaseUser, "WORKSTATION", 0);

        // Then
        assertEquals(mixedCaseDomain, type3.getDomain());
        assertEquals(mixedCaseUser, type3.getUser());
    }

    @Test
    @DisplayName("Should handle long passwords")
    void testLongPasswords() throws Exception {
        // Given

Now, whenever a browser is creating a user with a password, the API will return the same password in the response.

In this case, it might not be a problem, because it's the same user sending the password.

But if we use the same model for another *path operation*, we could be sending our user's passwords to every client.

/// danger

actual algorithm used, or depend on default values for the test cluster nodes.

==== Password length

While using `pbkdf2` as the password hashing algorithm, FIPS 140-2 imposes a requirement that
passwords are longer than 14 characters. You can either ensure that all test user passwords in
your test are longer than 14 characters and use i.e. `SecurityIntegTestCase#getFastStoredHashAlgoForTests`

            if (!lowerData.contains("password") && !lowerData.contains("secret") && !lowerData.contains("token")
                    && !lowerData.contains("key") && !lowerData.contains("credential") && !lowerData.contains("auth")) {
                return data; // No sensitive patterns detected, skip regex
            }
        }

        // Mask passwords and secrets using cached pattern

更多內容可參考 [PyJWT 安裝文件](https://pyjwt.readthedocs.io/en/latest/installation.html)。

///

## 密碼雜湊 { #password-hashing }

「雜湊」是指把某些內容（此處為密碼）轉換成一串看起來像亂碼的位元組序列（其實就是字串）。

每當你輸入完全相同的內容（完全相同的密碼），就會得到完全相同的亂碼。

但你無法從這串亂碼再反推回原本的密碼。

### 為什麼要用密碼雜湊 { #why-use-password-hashing }

如果你的資料庫被偷了，竊賊拿到的不是使用者的明文密碼，而只是雜湊值。

因此，竊賊無法直接拿該密碼去嘗試登入其他系統（由於許多使用者在各處都用同一組密碼，這會很危險）。