This article is participating in the Java Theme Month – Java Debug Notes Event, see the event link for details
Q: Why does char[] take precedence over string passwords?
In Swing, a password field has a (return) method instead of the usual (return) method. Again, I came across a suggestion not to use it for passwords. getPassword()char[]getText()StringString
Why is it a security threat in terms of passwords? It feels inconvenient to use. Stringchar[]
Answer:
Strings are immutable. This means that once you have created, if another process can dump memory, there is no way (other than reflection) that you can get rid of the data before garbage collection begins. String
With arrays, you can explicitly erase the data once it’s done. You can overwrite the array with anything you like, and the password won’t appear anywhere in the system, even before garbage collection.
So, yes, this is a security issue – but even though using only reduces the attacker’s window of opportunity, it’s only for this particular type of attack. char[]
As noted in the comments, arrays moved by the garbage collector may leave stray copies of data in memory. I believe this is specific to implementation – the garbage collector will probably erase all memory as it goes to avoid such a thing. Even so, there is still time to include the actual characters as attack Windows. char[]
If they can only take snapshots of memory, you want to reduce the damage that snapshots can cause, or the window in which really serious snapshots can be taken
The author recommends that the password be String and cannot be decrypted backwards
The article translated from stackoverflow.com/questions/8…
Thank you for reading this, if this article is well written and if you feel there is something to it
Ask for a thumbs up 👍 ask for attention ❤️ ask for share 👥 for 8 abs I really very useful!!
If there are any mistakes in this blog, please comment, thank you very much! ❤ ️ ❤ ️ ❤ ️ ❤ ️