// Test the method directly
        char[] password1 = "testpassword".toCharArray();
        char[] password2 = "testpassword".toCharArray();
        char[] password3 = "testpassworX".toCharArray();

        Boolean result1 = (Boolean) constantTimeMethod.invoke(null, password1, password2);
        Boolean result2 = (Boolean) constantTimeMethod.invoke(null, password1, password3);

///

## Password hashing { #password-hashing }

"Hashing" means converting some content (a password in this case) into a sequence of bytes (just a string) that looks like gibberish.

Whenever you pass exactly the same content (exactly the same password) you get exactly the same gibberish.

But you cannot convert from the gibberish back to the password.

### Why use password hashing { #why-use-password-hashing }

If the passwords don't match, we return the same error.

#### Password hashing { #password-hashing }

"Hashing" means: converting some content (a password in this case) into a sequence of bytes (just a string) that looks like gibberish.

Whenever you pass exactly the same content (exactly the same password) you get exactly the same gibberish.

* Make sure you have well defined Pydantic models for your request bodies and responses.
* Configure any required permissions and roles using dependencies.
* Never store plaintext passwords, only password hashes.
* Implement and use well-known cryptographic tools, like Passlib and JWT tokens, etc.
* Add more granular permission controls with OAuth2 scopes where needed.
* ...etc.

* The **input model** needs to be able to have a password.
* The **output model** should not have a password.
* The **database model** would probably need to have a hashed password.

/// danger

Never store user's plaintext passwords. Always store a "secure hash" that you can then verify.

If you don't know, you will learn what a "password hash" is in the [security chapters](security/simple-oauth2.md#password-hashing){.internal-link target=_blank}.

///

Now, whenever a browser is creating a user with a password, the API will return the same password in the response.

In this case, it might not be a problem, because it's the same user sending the password.

But if we use the same model for another *path operation*, we could be sending our user's passwords to every client.

/// danger

/// tip

This is how you would handle **passwords**. Receive them, but don't return them in the API.

You would also **hash** the values of the passwords before storing them, **never store them in plain text**.

///

The fields of `HeroCreate` are:

* `name`
* `age`
* `secret_name`

     *
     * @return default credentials, user name
     */
    String getDefaultUsername();

    /**
     *
     * Property {@code jcifs.smb.client.password}
     *
     * @return default credentials, password
     */
    String getDefaultPassword();

    /**
     * Lanman compatibility level
     *

    protected boolean disableSpnegoIntegrity = false;
    /** Whether to enforce SPNEGO integrity checking */
    protected boolean enforceSpnegoIntegrity = true;
    /** Whether plain text passwords are disabled */
    protected boolean disablePlainTextPasswords = true;
    /** OEM encoding for non-Unicode operations */
    protected String oemEncoding = SmbConstants.DEFAULT_OEM_ENCODING;

///

## Passwort-Hashing

„Hashing“ bedeutet: Konvertieren eines Inhalts (in diesem Fall eines Passworts) in eine Folge von Bytes (ein schlichter String), die wie Kauderwelsch aussieht.

Immer wenn Sie genau den gleichen Inhalt (genau das gleiche Passwort) übergeben, erhalten Sie genau den gleichen Kauderwelsch.

Sie können jedoch nicht vom Kauderwelsch zurück zum Passwort konvertieren.