[security-dev] PicketLink IDM API - Should PasswordCredential use char[] instead of String

Shane Bryzak sbryzak at redhat.com
Sun Dec 2 18:34:15 EST 2012

On 12/02/2012 01:23 AM, Darran Lofthouse wrote:
> It is a fairly common recommended practice that passwords are stored
> using character arrays instead of String - this means that as soon as it
> is finished with the array can be cleared instead of relying on the
> garbage collector to remote the String from the heap.
> Just thinking should PasswordCredential also do the same?

Probably a smart idea - would you leave the constructor and 
getPassword() methods as is and just convert between the String and char 
array, like so:

public class PasswordCredential implements Credential {
     private char[] password;

     public PasswordCredential(String password) {
         this.password = password.toCharArray();

     public String getPassword() {
         return new String(password);

Or would that still be considered as a vulnerability?  I'm just thinking 
of the use cases where it's easier to bind a UI component directly to a 
String value.  We probably also need a Credential.clear() method also.

> Regards,
> Darran Lofthouse.
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev

More information about the security-dev mailing list