[security-dev] PicketLink IDM API - Should PasswordCredential use char[] instead of String

Darran Lofthouse darran.lofthouse at jboss.com
Sat Dec 1 10:23:15 EST 2012

It is a fairly common recommended practice that passwords are stored 
using character arrays instead of String - this means that as soon as it 
is finished with the array can be cleared instead of relying on the 
garbage collector to remote the String from the heap.

Just thinking should PasswordCredential also do the same?

Darran Lofthouse.

More information about the security-dev mailing list