* @param password the password to authenticate with
     */
    public NtlmPasswordAuthentication(final CIFSContext tc, final String domain, final String username, final String password) {
        super(domain != null ? domain : tc.getConfig().getDefaultDomain(),
                username != null ? username : tc.getConfig().getDefaultUsername() != null ? tc.getConfig().getDefaultUsername() : "GUEST",

* The **input model** needs to be able to have a password.
* The **output model** should not have a password.
* The **database model** would probably need to have a hashed password.

/// danger

Never store user's plaintext passwords. Always store a "secure hash" that you can then verify.

If you don't know, you will learn what a "password hash" is in the [security chapters](security/simple-oauth2.md#password-hashing){.internal-link target=_blank}.

///

///

## Passwort-Hashing { #password-hashing }

„Hashing“ bedeutet: Konvertieren eines Inhalts (in diesem Fall eines Passworts) in eine Folge von Bytes (ein schlichter String), die wie Kauderwelsch aussieht.

Immer wenn Sie genau den gleichen Inhalt (genau das gleiche Passwort) übergeben, erhalten Sie genau den gleichen Kauderwelsch.

                        throw new RuntimeException("Plain text passwords are disabled");
                    } else {
                        // plain text
                        final String password = a.getPassword();
                        this.lmHash = new byte[(password.length() + 1) * 2];
                        this.ntHash = new byte[0];
                        writeString(password, this.lmHash, 0);
                    }
                }

# OAuth2 con Password (y hashing), Bearer con tokens JWT { #oauth2-with-password-and-hashing-bearer-with-jwt-tokens }

Ahora que tenemos todo el flujo de seguridad, hagamos que la aplicación sea realmente segura, usando tokens <abbr title="JSON Web Tokens">JWT</abbr> y hashing de contraseñas seguras.

Este código es algo que puedes usar realmente en tu aplicación, guardar los hashes de las contraseñas en tu base de datos, etc.

            throw new IllegalArgumentException("Master password cannot be null or empty");
        }

        // Generate salt for key derivation
        this.salt = new byte[SALT_SIZE];
        secureRandom.nextBytes(this.salt);

        // Derive master key from password
        this.masterKey = deriveKey(masterPassword, salt);

        // Clear the master password after use
        Arrays.fill(masterPassword, '\0');
    }

/// tip

This is how you would handle **passwords**. Receive them, but don't return them in the API.

You would also **hash** the values of the passwords before storing them, **never store them in plain text**.

///

The fields of `HeroCreate` are:

* `name`
* `age`
* `secret_name`

        Type3Message type3 =
                new Type3Message(createMockContext(), type2, null, "password", mixedCaseDomain, mixedCaseUser, "WORKSTATION", 0);

        // Then
        assertEquals(mixedCaseDomain, type3.getDomain());
        assertEquals(mixedCaseUser, type3.getUser());
    }

    @Test
    @DisplayName("Should handle long passwords")
    void testLongPasswords() throws Exception {
        // Given

При этом пользователи смогут одновременно входить в систему как из приложения Django, так и из приложения **FastAPI**.
///

## Хеширование и проверка паролей { #hash-and-verify-the-passwords }

Импортируйте необходимые инструменты из `pwdlib`.

Создайте экземпляр PasswordHash с рекомендованными настройками — он будет использоваться для хэширования и проверки паролей.

/// tip | Подсказка

Now, whenever a browser is creating a user with a password, the API will return the same password in the response.

In this case, it might not be a problem, because it's the same user sending the password.

But if we use the same model for another *path operation*, we could be sending our user's passwords to every client.

/// danger