[security-dev] PicketLink IDM API - Should PasswordCredential use char[] instead of String
Shane Bryzak
sbryzak at redhat.com
Sun Dec 2 18:34:15 EST 2012
On 12/02/2012 01:23 AM, Darran Lofthouse wrote:
> It is a fairly common recommended practice that passwords are stored
> using character arrays instead of String - this means that as soon as it
> is finished with the array can be cleared instead of relying on the
> garbage collector to remote the String from the heap.
>
> Just thinking should PasswordCredential also do the same?
Probably a smart idea - would you leave the constructor and
getPassword() methods as is and just convert between the String and char
array, like so:
public class PasswordCredential implements Credential {
private char[] password;
public PasswordCredential(String password) {
this.password = password.toCharArray();
}
public String getPassword() {
return new String(password);
}
}
Or would that still be considered as a vulnerability? I'm just thinking
of the use cases where it's easier to bind a UI component directly to a
String value. We probably also need a Credential.clear() method also.
>
> Regards,
> Darran Lofthouse.
>
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
More information about the security-dev
mailing list