Re: [security-dev] PicketLink IDM API - Should PasswordCredential use char[] instead of String

On 12/02/2012 01:23 AM, Darran Lofthouse wrote: > It is a fairly common recommended practice that passwords are stored > using character arrays instead of String - this means that as soon as it > is finished with the array can be cleared instead of relying on the > garbage collector to remote the String from the heap. > > Just thinking should PasswordCredential also do the same? Probably a smart idea - would you leave the constructor and getPassword() methods as is and just convert between the String and char array, like so: public class PasswordCredential implements Credential { private char[] password; public PasswordCredential(String password) { this.password = password.toCharArray(); } public String getPassword() { return new String(password); } } Or would that still be considered as a vulnerability? I'm just thinking of the use cases where it's easier to bind a UI component directly to a String value. We probably also need a Credential.clear() method also. > > Regards, > Darran Lofthouse. > > _______________________________________________ > security-dev mailing list > security-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/security-dev _______________________________________________ security-dev mailing list security-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev