Interning of String.valueOf()
Question
Whilst handling passwords in Java, its my understanding that they should always be handled in char[]'s to allow GC and remove hanging references.
My question is would,
char[] password = String.valueOf(authentication.getCredentials()).toCharArray();
Could the value of authentication.getCredentials() to be interned or not?
2 answers
solution1
2 2015-09-30 08:47:11
It's not a question of interning the String, any security concerns around using Strings to store passwords arise from the amount of time they are present in memory.
With a char array you have the ability to wipe the contents once you've finished reading them. With a String (which is immutable) you're left relying on the garbage collector, this means that if someone has access to your server and dumps the memory there may be password visible.
solution2
1 ACCPTED 2015-09-30 08:43:11
String.valueOf() doesn't intern Strings. The only way to intern Strings during runtime is with password.intern() .
There's no need to use
Using char[] for passwords.
char[] allows you to clear the array directly after use, narrowing the attacker's timeframe to dump the memory and retrieve the plaintext password.
A String by itself is nothing special to the GC. Interning affects it a bit, but in regular use you wouldn't encounter anything out of the ordinary.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.