secure-preferences icon indicating copy to clipboard operation
secure-preferences copied to clipboard

Published 20 hours ago verified publisher icon scottyab

Do not hold user password in String object, use Char[] instead

Open davidmigloz opened this issue 7 years ago • 1 comments

A cardinal rule of passphrases in Java is: do not hold them in String objects. You have no means of clearing those from memory, as a String is an immutable value.

Instead of String, use Char[] for any sensitive data. When all operations are finished with Char[], it can be overwritten with zero’s or junk text to clear it from memory.

References: https://nvisium.com/blog/2016/03/31/secure-password-strings.html https://stackoverflow.com/questions/8881291/why-is-char-preferred-over-string-for-passwords

davidmigloz avatar Jun 18 '18 10:06 davidmigloz

Totally agree. PR welcome.

scottyab avatar Mar 12 '19 10:03 scottyab