2

I got this code adapted from the official Java-Tutorial Page Console - Java Tutorial

public class RedirectOutputStreamExample {
    public static void main(String[] args) throws InterruptedException {
        Console c = System.console();
        if (c == null) {
            System.err.println("No console.");
            System.exit(1);
        }

        String login = ((Console) c).readLine("Enter your login: ");
        char [] oldPassword = c.readPassword("Enter your old password: ");

        if (verify(login, oldPassword)) {
            boolean noMatch;
            do {
                char [] newPassword1 = c.readPassword("Enter your new password: ");
                char [] newPassword2 = c.readPassword("Enter new password again: ");
                noMatch = ! Arrays.equals(newPassword1, newPassword2);
                if (noMatch) {
                    c.format("Passwords don't match. Try again.%n");
                } else {
                    c.format("Password for %s changed.%n", login);
                }
                Arrays.fill(newPassword1, ' ');
                Arrays.fill(newPassword2, ' ');
                System.out.println("password is: "+newPassword1);
                System.out.println("password is: "+newPassword2);
            } while (noMatch);
        }
        Arrays.fill(oldPassword, ' ');
        System.out.println(oldPassword);
        Thread.sleep(60000);
    }
}

After the three passwords have been overwritten, they are printed out as empty lines (as expected). As you see:

enter image description here (I had to do it in the console cause the IntelliJ terminal had security problems and threw the error "no Console")

However, after the program was halted, a memory dump was created using jmap and the process ID.

execution of the program

My entered password was still visible in the memory dump as you see:

password in memory dump

How is that possible? Did I do something wrong? Is there a weak default security configuration in my JVM?

I asked ChatGPT and it suggests that console uses Strings in its internal operations.

Improve this question
10
  • 3
    What does the method change do? Commented Jun 14, 2024 at 11:42
  • 1
    Also, Java garbage collectors can move objects around in memory, including arrays, so it is entirely possible if that happened, that the old memory location still contains a copy of data even if you cleared it (that is, after it was moved). In short, you cannot rely on clearing an array for getting rid of the data from memory. Commented Jun 14, 2024 at 11:48
  • 2
    You can't, basically. Clearing it is better than not clearing it, but as I said, it is not guaranteed to work in the face of garbage collectors moving data around. Commented Jun 14, 2024 at 12:46
  • 1
    I repeated those Steps above almost 20 Times, and every time i could see my password in the memory dump. I can't imagine that it was due to the Garbage Collector moving data every single time. Alltough i would mean that secure login in java would not be possible Commented Jun 14, 2024 at 13:08
  • 1
    What about the verify method? Could it be holding a copy of the password? Commented Jun 14, 2024 at 16:59

1 Answer 1

Reset to default
-1

As long as you have no clue what change() is doing, it is definitely possible that a String instance of your char array was created somewhere, and that this String can be found in a heapdump. If you are really that paranoid that this may not happen, you should use the J9 JVM; it will not dump the values to a regular heap dump.

To avoid that the clear text of any password is kept somewhere in memory, you should hash the passwords immediately after getting them and do all the further steps only with the hashes – given that change() would work with that, too, or that you can re-implement it.

Otherwise, from the screenshot of the heapdump, I would say that it would be difficult to identify the string as the password without knowing the password.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.