0 votes
1 view
in Java by (3.5k points)
In Swing, the password field has a getPassword() (returns char[]) method instead of the usual getText() (returns String) method. Similarly, I have come across a suggestion not to use String to handle passwords.

Why does String pose a threat to security when it comes to passwords? It feels inconvenient to use char[].

1 Answer

0 votes
by (46.1k points)
Strings are permanent. That implies once you've designed the String if another method can drain memory, there's no space (apart from reflection) you can get relieved of the data before garbage collection thrills in.

Amidst an array, you can explicitly clean the data after you're done with it. You can overwrite the array with anything you wish, and the password won't be existing anywhere in the system, also before garbage collection.

So certainly, this is a security concern - but still using char[] only decreases the window of possibility for an attacker, and it's only for this particular type of attack.

 it's possible that arrays remaining moved by the garbage collector will move stray copies of the data in memory. I think this is implementation-specific - the waste collector may clear all memory as it goes, to bypass this sort of thing. Also if it does, there's still the time through which the char[] contains the actual characters as an initiative window.

Related questions

+1 vote
2 answers
0 votes
1 answer
0 votes
1 answer
0 votes
1 answer
asked Jul 9, 2019 in Java by Anvi (10.2k points)
0 votes
1 answer
Welcome to Intellipaat Community. Get your technical queries answered by top developers !


Categories

...