24

Possible Duplicate:
Why is char[] preferred over string for passwords?

When I was preparing for OCPJP I came accross the topic - "Reading User input from console".

There was an example where it read username in String reference, whereas password in a char[] array, but I couldn't understand why it used char array.. Here is the code : -

Console console = System.console();

String username = console.readLine("User Name? ");
char[] password = console.readPassword("Password? ");

This raised a doubt in my mind.. Why didn't we used String reference to store password. Since Strings are immutable, so it must be more secure to read password in a String, as its content could not be changed for that matter.

So, what's the whole point in reading password in char[] array..

Can anyone shed some light in this matter?

Community
  • 1
  • 1
Rohit Jain
  • 209,639
  • 45
  • 409
  • 525

4 Answers4

11

As you said, strings are immutable, meaning that once you've created the string, if another process can dump memory, there's no way (ok, may with reflection) you can get rid of the data before GC kicks in.

With an array, you can explicitly wipe the data after you're done with it: you can overwrite the array with anything you like, and the password won't be present anywhere in the system, even before garbage collection.

caarlos0
  • 20,020
  • 27
  • 85
  • 160
  • 1
    At least that is the intent of using char arrays for passwords. I am however not so sure if it considering heap defragmenting, virtual memory, swapping etc. is really true. If e.g. defragmenting the heap causes the char array to be moved within the process' memory space, will the content on the old location actually be erased? – jarnbjo Oct 02 '12 at 13:38
  • I believe that it depends of the the GC specific implementation... – caarlos0 Oct 02 '12 at 13:53
7

From the Javadoc of java.io.Console:

Security note: If an application needs to read a password or other secure data, it should use readPassword() or readPassword(String, Object...) and manually zero the returned character array after processing to minimize the lifetime of sensitive data in memory.

This is just to prevent other applications (like keyloggers etc., from accessing the password.

And moreover if you use String, since they are immutable, modifying them would create copies in the memory. Using char[] would save you in this case. As they are mutable, they won't create an copies and you can make them null after processing.

Nayuki
  • 17,911
  • 6
  • 53
  • 80
Sri Harsha Chilakapati
  • 11,744
  • 6
  • 50
  • 91
5

I believe that it is so you can clear them from memory by overwriting them when you no longer need them. With Java at least, if you use String, then there may be copies leftover in memory.

If you overwrite the char array using a for loop and set each value to 0, I don't think there will be any leftover copies in memory.

Ren
  • 1,111
  • 5
  • 15
  • 24
4

As strings are immutable, they cannot be overwritten and remain in memory while the application is active. A char array, on the other hand can be cleared of all password information.

Reimeus
  • 158,255
  • 15
  • 216
  • 276