Re: [security-dev] PicketLink IDM API - Should PasswordCredential use char[] instead of String
On 12/02/2012 01:23 AM, Darran Lofthouse wrote:
It is a fairly common recommended practice that passwords are stored
using character arrays instead of String - this means that as soon as it
is finished with the array can be cleared instead of relying on the
garbage collector to remote the String from the heap.
Just thinking should PasswordCredential also do the same?
Probably a smart idea - would you leave the constructor and
getPassword() methods as is and just convert between the String and char
array, like so:
public class PasswordCredential implements Credential {
private char[] password;
public PasswordCredential(String password) {
this.password = password.toCharArray();
}
public String getPassword() {
return new String(password);
}
}
Or would that still be considered as a vulnerability? I'm just thinking
of the use cases where it's easier to bind a UI component directly to a
String value. We probably also need a Credential.clear() method also.
Regards,
Darran Lofthouse.
_______________________________________________
security-dev mailing list
security-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/security-dev