3

This comes from a security point of view.Best practice says not to use a String to store a password, but a char[]. Does this apply to using a password at any time? For example, it is acceptable to use a String to hold a password when using JDBC?

public final void Login(String username, String password){
...
conn = DriverManager.getConnection(url, username, password);
...
}

Or could a char[] be used here in place of the String?

Improve this question
4
  • You shouldn't use a String to ever hold sensitive data because of the way that Strings are stored in Java. char[] will in general be SAFER. Commented Dec 3, 2013 at 3:35
  • 1
    "Guideline 2-2: Do not log highly sensitive information Some information, such as Social Security numbers (SSNs) and passwords, is highly sensitive. This information should not be kept for longer than necessary nor where it may be seen, even by administrators. For instance, it should not be sent to log files and its presence should not be detectable through searches. Some transient data may be kept in mutable data structures, such as char arrays, and cleared immediately after use". But I don't know how to use char[] in place of string in the example i gave. Commented Dec 3, 2013 at 3:40
  • It's important that you decide if you mean password or key. A password is generally character data and is best represented as a string. A key is binary data and should be an array of byte or something similar. Commented Dec 3, 2013 at 3:41
  • 2
    @Kon - The "safety" difference between a String and a char[] is microscopic. Their internal representations are essentially identical. Commented Dec 3, 2013 at 3:44

2 Answers 2

Reset to default
3

I don't know that I accept your premise that a char [] is more secure than a String in the context of a system(s) resource (e.g. JDBC database connection). Regardless, you can use a connection manager (or connection pool, whichever is appropriate to your container) and then the connection manager (and only the connection manager) has visibility to the underlying databse username / password.

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

"I don't know that I accept your premise that a char [] is more secure than a String" You should. Array elements can be overwritten, a string is stored in the string pool.
There are lot of articles on why NOT String for passwords. Better review them.
If it's loaded at runtime, and accessed by user-code... how secure can it be?
@JeroenVannevel - yes, char[] can in theory be overwritten. also, it can be copied around to various memory pools before it is overwritten, thus making the overwriting pointless. if something has access to the jvm memory, you have already lost all security...
@jtahlborn …and the optimizer can eliminate writes that are never followed by a read…
|
1

String in java is immutable, once you create it, it can't be changed and thus whenever we say String s="abc"; s="def"; they do not refer to same string, instead it creates "abc" string object, s refers to it and when we say s="def", another string object "def" is created referred by s, and thus abandoning "abc".

So "abc" is left in the heap, and now suppose this is some highly secure password floating in heap just waiting to be accessed by some wrong party.

that is why it is encouraged to use char[] for password.

there are other alternatives like StringBuffer too.

Improve this answer

4 Comments

But unless you're foolish enough to intern it, a String is GCed as quickly as an array. (In fact, a String is an array, with a few extra fields.)
@HotLicks Java 1.8.20 introduced String deduplication which essentially interns your String without you doing anything.
@Ryan string deduplication, as its name suggests, is only relevant if you have duplicate strings, in other words, not only one existing string, but at least two of them. There is no relevance to a string that is about to be garbage collected.
@HotLicks actually, it doesn’t matter whether you call intern() on it. It still gets garbage collected as soon as an ordinary array. But in either case, getting collected doesn’t imply that its memory gets overwritten. Of course, writing "password" into your code is a different beast, as the character data would even exist in memory when no string has been created, as part of the class data.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.