0

In case I am handling passwords in my application, is it absolutely necessary that I use char array instead of a String object? If my application is configured to write no logs or anything and memory dumps are least expected, will it be too imprudent to use a String object?

It would be beneficial if I could use a String object because I would then be able to use a library (jBCrypt) which I otherwise will not be able to use.

Pratanu Mandal
  • 597
  • 8
  • 23
  • ??? Why would it be necessary? – brso05 Oct 20 '14 at 17:18
  • 1
    @brso05 Because strings are interned, hence passwords may be held in memory. – Ingo Bürk Oct 20 '14 at 17:19
  • ??? a char array will also be held in memory? – brso05 Oct 20 '14 at 17:20
  • @brso05 Not past it's usage as it will then be garbage-collected. Strings, however, won't. So passwords might accumulate in memory over the entire runtime of the application. In particular, you don't need to try to "catch" something in memory -- it will always be there. – Ingo Bürk Oct 20 '14 at 17:21
  • Strings will be garbage collected as well. – brso05 Oct 20 '14 at 17:22
  • 1
    With the char array, you can immediately set all the values to 0 and destroy the password when you are done with what you need it for. With the String, you're leaving it up to the system to deal with it in garbage collection. – Compass Oct 20 '14 at 17:23
  • 1
    @IngoBürk As per http://stackoverflow.com/questions/8881291/why-is-char-preferred-over-string-for-passwords the reason you might want to use `char[]` instead of `String` is not because strings don't get GC'd but because you can manually scramble / erase a character array after you are done using it while with a string you have to wait for GC. – SamYonnou Oct 20 '14 at 17:24
  • Yes @Compass and SamYonnou that is the correct answer. – brso05 Oct 20 '14 at 17:25
  • @Compass - In that case, can you suggest a good Java implementation of BCrypt that uses a char array? I tried jBCrypt, but it only works with String – Pratanu Mandal Oct 20 '14 at 17:26
  • @SamYonnou / brso05 Yeah, you're right. Interning on non-literals only happens when explicitly called. My bad. – Ingo Bürk Oct 20 '14 at 17:26
  • You should be fine using String you can even manually run the gc to get rid of the string objects when you are done. – brso05 Oct 20 '14 at 17:27
  • @SamYonnou - In that case, can you suggest a good Java implementation of BCrypt that uses a char array? I tried jBCrypt, but it only works with String – Pratanu Mandal Oct 20 '14 at 17:27
  • Depending on how secure your application needs to be you should be fine with strings. If someone wants to get the passwords they can do it if you use char or String. – brso05 Oct 20 '14 at 17:28
  • @brso05 - could you please explain how can I manually run the gc to get rid of the String object? – Pratanu Mandal Oct 20 '14 at 17:28
  • @PrantanuMandal - System.gc(); – brso05 Oct 20 '14 at 17:29
  • 2
    I don't recommend doing `System.gc()`. It will potentially slow down your program a lot, and it does not actually guarantee that your strings will get GC'd right away. If you are really afraid of security issues and are stuck using strings I guess you can use reflection to erase the contents of the string you are using http://stackoverflow.com/questions/17151382/safely-using-string-for-passwords-by-using-reflection-to-scrub-contents-prior-to although note the answers on that question saying that if someone can read your memory in the first place using `char[]` or clearing strings wont help you – SamYonnou Oct 20 '14 at 17:32
  • @SamYonnou - so using strings is safe as long as there are no logging and memory dumps, right? – Pratanu Mandal Oct 20 '14 at 17:40
  • I am not a security expert but I imagine it's "safe enough". Assuming you aren't enabling the JVM settings that allow you to get a memory dump from a remote machine any potential hacker would probably have to install malicious software on your machine in order to read passwords from your JVM. At that point they could just install a keylogger instead and no amount of security-mindedness in the code is going to help you. – SamYonnou Oct 20 '14 at 17:54

1 Answers1

0

It depends on how much security you want your application to have. In most circumstances, I imagine you'll be fine using a String. Especially if you're not dumping out any output that could contain this String.

However, this does make your application slightly less secure. See this post for more information: Why is char[] preferred over String for passwords?

Community
  • 1
  • 1
NoseKnowsAll
  • 4,593
  • 2
  • 23
  • 44
  • 1
    Security experts (which I am not) would probably say: there is no "slightly less secure". There is only secure and insecure. – Ingo Bürk Oct 20 '14 at 17:28
  • @IngoBürk A real security expert would know its a gradient spectrum, as the only secure machine in the world is the one thats in a vault and not plugged in. – Mark W Oct 20 '14 at 18:01
  • @IngoBürk - Is using strings safe as long as there are no logging and memory dumps? – Pratanu Mandal Oct 22 '14 at 12:44