Password in the process memory but not in the heap dump

Question

I've stumbled recently on a issue with java processes where one could use a tool like http://processhacker.sourceforge.net to inspect the memory of the runtime application. The tool - reveals the password used to authenticate in the application. I've investigate the issue and the password seems to zeroed out after it's used. I tried to do a heap dump using Java Mission Control (with GC disabled) and see if I can retrieve the passsword. Using the Eclipse Memory Tool I ran simple query like:

SELECT * FROM char[] c WHERE toString(c).startsWith("mypasswordsample")

But that did not yield any result, and the password was still visible in the process hacker after an hour or so. If I do the heap dump with the GC enabled - process hacker seems to no longer find the password.

What is doing JVM behind the scenes? Why I can't find the password in the live objects? Can I do some sort of dump to see where is this password stored, who created it and why wasn't zeroed out?

Answer 1

This is too specific to answer, but many passwords (particularly with JAAS) will use a character array instead of a String and explicitly zero out the characters after use. So if you got a heap dump while they were logging on you might see it; but if not, then you wouldn't. See the PasswordCallback from JAAS that uses this mechanism.

(An array of characters is used because an array is mutable; therefore you can go through afterwards and set each character to a space or \\0 once it's been used to authenticate. That way even if the GC doesn't clean it up quickly, the contents of the memory shouldn't hold the data for snooping processes.