1

In my software I provide tools for FTP login. I used JPasswordField for the password part of the login panel. However it is recommended to set each char of the array of the JPasswordField to 0 for keeping it secure. However I am not sure if it applies my case. This is my method to get password:

public String getPassword(){
        char[] password = passwordField.getPassword();
        String passStr = "";
        for(int i=0; i< password.length; i++){
            passStr += password[i];
            password[i] = 0;
        }
        return passStr;
}

Is it the right way of getting password from JPasswordField? As you can see I set each char to 0 after I get its value, but how ever the variable passStr holds the whole password, so I am kinda not sure if the login of keeping it secure is correct here.

So can you please check the code and let me know if it is the correct implementation for such a situation?

user207421
  • 305,947
  • 44
  • 307
  • 483
Dan
  • 577
  • 1
  • 12
  • 38

2 Answers2

2

The idea is not to have the String at all. Just use the chars, and zero them when you're finished with them. You should be able to pass the char[] around all the way to the FTP socket.

user207421
  • 305,947
  • 44
  • 307
  • 483
  • Thanks for your answer, seems logical. But just wondering, at the end to login to FTP, i think it is required to have the string of password. For example FTPClient in Apache Commons, has login method that gets password as a string, what can I do in that case? However, if it is off-topic, I will create a new post for that. But thanks for giving me the idea. – Dan Mar 25 '15 at 22:30
  • Well OK that's poor design on their part. But I would cart the `char[]` around as far as possible, and convert it to `String` only for that API, with a rude comment, and make sure to release the `String` ASAP after the call. – user207421 Mar 25 '15 at 22:33
  • (Also requires clearing the password field's document, making sure the password doesn't appear as `Action.command`, etc., etc.) – Tom Hawtin - tackline Mar 26 '15 at 14:56
0

It looks like this has been discussed earlier over here and here

Hope those help.

Community
  • 1
  • 1
debopam
  • 51
  • 3
  • 1
    Mere links are not an answer here. This should have been posted as a comment. The second link is irrelevant. – user207421 Mar 25 '15 at 22:19