1. Home
2. Questions
3. AI Assist
4. Tags
6. Challenges
7. Chat
8. Articles
9. Users
11. Jobs
12. Companies
13. Collectives
14. Communities for your favorite technologies. Explore all Collectives
Stack Internal

Stack Overflow for Teams is now called Stack Internal. Bring the best of human thought and AI automation together at your work.
Try for free Learn more
Stack Internal
Bring the best of human thought and AI automation together at your work. Learn more

Timeline for Why is char[] preferred over String for passwords?

Current License: CC BY-SA 3.0

9 events

when toggle format	what		by	license	comment
May 23, 2017 at 12:26	history	edited	URL Rewriter Bot		replaced http://stackoverflow.com/ with https://stackoverflow.com/
Mar 17, 2017 at 13:14	history	edited	URL Rewriter Bot		replaced http://security.stackexchange.com/ with https://security.stackexchange.com/
Mar 9, 2017 at 10:24	comment	added	Holger		Security relevant software should do something like `sleep(secureRandom.nextInt())` before rejecting a login attempt anyway, that’s not only removing the possibility of timing attacks, it also makes counteracts brute force attempts.
Mar 9, 2017 at 10:22	comment	added	Holger		Besides comparing plaintext passwords isn’t the right thing anyway, the temptation to use `Arrays.equals` for `char[]` is as high as for `String.equals`. If anyone cared, there was a dedicated key class encapsulating the actual password and taking care of the issues—oh wait, the real security packages have dedicated key classes, this Q&A is only about a habit outside of them, say, e.g. `JPasswordField`, to use `char[]` instead of `String` (where the actual algorithms use `byte[]` anyway).
Jul 26, 2016 at 21:14	history	edited	Graph Theory	CC BY-SA 3.0	added 448 characters in body
Mar 3, 2016 at 18:54	history	edited	Graph Theory	CC BY-SA 3.0	deleted 5 characters in body
Jul 2, 2015 at 21:03	comment	added	Graph Theory		You're absolutely correct, the mistake can be made either way. Knowing about the problem is the most important thing here, considering there's no explicit password-comparison method in Java for either String-based or char[]-based passwords. I'd say the temptation to use compare() for Strings is a good reason to go with char[]. That way you at least have control over how the comparison is done (without extending String, which is a pain imo).
Jul 1, 2015 at 5:41	comment	added	Mohit Kanwar		But that could be there in char[] comparison as well, somewhere we would be doing the same in password validation too. so how is char[] better than string?
Apr 8, 2015 at 0:04	history	answered	Graph Theory	CC BY-SA 3.0