1

Passwords are recommended to be stored in char[] instead of String, as Strings are stored in StringPool. Read more here

As per this question Strings in StringPool are not available directly. To obtain Strings in Stringpool, we would need a password-dictionary to check them in StringPool. If we have a password-dictionary, we don't need to worry about StringPool, we can anyhow try directly on password fields.

So, why should we not use "String" as a datatype for passwords?

EDIT:

The answer obtained is: We can have access to memory dump and get access to Strings in stringpool.

Follow up questions:

  • How can one access the memory dump?
  • Can the access be prevented?
  • If access to memory dump is prevented, Is it safe to use String as a type for passwords?
Community
  • 1
  • 1
Mohit Kanwar
  • 2,962
  • 7
  • 39
  • 59
  • Thanks @Ruchira for letting me know of the duplicacy. However, the question in my mind is still not clear. I have modified the question, please remove the duplicate mark – Mohit Kanwar Mar 04 '15 at 05:40
  • Now your answer in here.http://stackoverflow.com/questions/8881291/why-is-char-preferred-over-string-for-passwords – Ruchira Gayan Ranaweera Mar 04 '15 at 05:43
  • cool. my question now comes to "if another process can dump memory" how can a process dump memory containing String pool? and analyze the same for existing strings? – Mohit Kanwar Mar 04 '15 at 05:47
  • http://stackoverflow.com/questions/12018675/making-a-memory-dump-of-java-application This answers a bit, but answer is not clearly explained. Also, I would like to use Java Code itself, and not any external tools – Mohit Kanwar Mar 04 '15 at 05:50
  • What do you mean by "StringPool" ? StringPool is a place where constants kept by the Java compiler from the source code. So if you have password in StringPool then this means that you have your password hardocded in java source files. You shouldn't do this neither as string nor as char array. – Sergey Mashkov Mar 04 '15 at 06:15
  • Strings can't be zeroed, but `char[]` arrays can. – user207421 Mar 04 '15 at 06:19
  • Actually No. If I have a Java field of type "String", which stores an input from users, that input would also be stored in StringPool. – Mohit Kanwar Mar 04 '15 at 06:21
  • So what is the problem if Strings cannot be zeroed? If String Pool is not accessible, what is the problem with it containing passwords? – Mohit Kanwar Mar 04 '15 at 06:22
  • No, it will not be stored in the pool unless you call something like String.intern(). You have all strings in the heap except compile-time constants including all duplicates. So you shouldn't mix heap and constant pool. All conatants are in class-files so could be read from files. In runtime you need char[] to will be able to Arrays.fill(array, ' ') when you don't need exact value anymore. With string you can't so attacker could make heap dump before GC kick and get your string directly from the heap. In case of char[] attacker will get empty array – Sergey Mashkov Mar 04 '15 at 06:58
  • I have a form field with type password. I have a corresponding valueobject, has a field named password to store the data provided by user while logging in. What should be the type of this field: String or char[] and why? – Mohit Kanwar Mar 04 '15 at 07:04

1 Answers1

0

String is immutable in java and stored in String pool. Once it’s created it stays in the pool until unless garbage collected, so even though we are done with password it’s available in memory for longer duration and there is no way to avoid it. It’s a security risk because anyone having access to memory dump can find the password as clear text.

If we use char array to store password, we can set it to blank once we are done with it. So we can control for how long it’s available in memory that avoids the security threat with String

yahitesh
  • 83
  • 8
  • Can you provide the details of accessing the memory dump? – Mohit Kanwar Jul 02 '15 at 02:48
  • There are lots of ways to get a heap dump, starting with simple tools like jmap to more fancy stuff like JVisualVM or even commerical tools as JProfiler. Correctly interpreting those dumps can be tricky though, so you might want to post exactly what you are looking for. – yahitesh Jul 02 '15 at 04:48
  • I am looking to get Strings from Stringpool. Can you share some pointers/ step by step procedure for that? – Mohit Kanwar Jul 02 '15 at 05:23
  • //create string object
    String s1=new String("Test");
    //string literal
    String s2="Test";
    System.out.println(s1==s2);//false
    //true >because intern method access string from StringPool
    System.out.println(s1.intern()==s2);//true
    System.out.println(System.identityHashCode(s1));//359925(address of heap)
    System.out.println(System.identityHashCode(s1.intern()));//9473797(address of string pool)
    System.out.println(System.identityHashCode(s2));//9473797
    System.out.println(System.identityHashCode(s2.intern()));//9473797     – yahitesh Jul 02 '15 at 07:37
  • This is not helpful. As If I am going to use brute force to get to know if a string is there in stringpool, I can anyhow use a brute force on the field itself. – Mohit Kanwar Jul 02 '15 at 08:09