1. Home
2. Questions
3. AI Assist
4. Tags
6. Challenges
7. Chat
8. Articles
9. Users
11. Companies
12. Collectives
13. Communities for your favorite technologies. Explore all Collectives
Stack Internal

Stack Overflow for Teams is now called Stack Internal. Bring the best of human thought and AI automation together at your work.
Try for free Learn more
Stack Internal
Bring the best of human thought and AI automation together at your work. Learn more

Timeline for Why is char[] preferred over String for passwords?

Current License: CC BY-SA 3.0

9 events

when toggle format	what		by	license	comment
Dec 16, 2022 at 22:17	comment	added	bestsss		@M.Justin char[] being mutable allows to zap it, however it does not prevent any compacting garbage collector to still have a copy of that char[]. In that regard is not much better than a string. A direct byte (char) buffer would do the trick as the memory is never copied (also not directly a part of a heap dump). For better or worse most answers here (and the official java docs), totally avoid the issue that in a managed environment modifying an object or an array does not grantee memory being zeroed. DirectByteBuffer is pretty much what the docs should have recommended.
Dec 15, 2022 at 21:22	comment	added	M. Justin		The reference by @bestsss below Jon's answer no longer appears to be present.
Jan 3, 2019 at 19:25	comment	added	luis.espinal		@Dawesi - `At which point` - that's application specific, but the general rule is to do so as soon as you get a hold of something that is supposed to be a password (plaintext or otherwise). You get it from the browser as part of an HTTP request, for instance. You cannot control the delivery, but you can control your own storage, so as soon as you get it, put it in a char[], do what you need to do with it, then set all to '0' and let the gc reclaim it.
Nov 19, 2018 at 13:36	review	Suggested edits
Nov 19, 2018 at 13:41
Aug 5, 2018 at 19:50	comment	added	Dawesi		once again though the password is passed as a string from the browser to the request as 'string' not char? so no matter what you do it's a string, at which point it should be acted on and discarded, never stored in memory?
Jun 27, 2014 at 0:50	comment	added	SnakeDoc		@bestass sorry, but `String` is pretty well understood and how it behaves in the JVM... there are good reasons to use `char[]` in place of `String` when dealing with passwords in a secure manner.
Aug 11, 2012 at 11:27	comment	added	user961954		@bestass can you please also cite a reference?
Jan 22, 2012 at 20:45	comment	added	bestsss		this is exactly the flawed/bogus reference I talk about below Jon's answer, it's a well known source w/ a lot of criticism.
Jan 17, 2012 at 3:20	history	answered	Bruno	CC BY-SA 3.0