Skip to content
This repository has been archived by the owner on Mar 1, 2022. It is now read-only.

Do not hold user password in String object, use Char[] instead #84

Open
davidmigloz opened this issue Jun 18, 2018 · 1 comment
Open

Do not hold user password in String object, use Char[] instead #84

davidmigloz opened this issue Jun 18, 2018 · 1 comment
Labels
enhancement

Comments

@davidmigloz
Copy link

davidmigloz commented Jun 18, 2018
edited
Loading

A cardinal rule of passphrases in Java is: do not hold them in String objects. You have no means of clearing those from memory, as a String is an immutable value.

Instead of String, use Char[] for any sensitive data. When all operations are finished with Char[], it can be overwritten with zero’s or junk text to clear it from memory.

References:
https://nvisium.com/blog/2016/03/31/secure-password-strings.html
https://stackoverflow.com/questions/8881291/why-is-char-preferred-over-string-for-passwords
@scottyab
Copy link
Owner

Totally agree. PR welcome.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@scottyab @davidmigloz