0

Okay after reading this I have got the idea that its better to store the password in an array rather than String.

So when getting the password from a request parameter in a servlet's doPost method, wont that cause a security risk, because the password is retrieved as an actual String ?

Is that the most secure way of getting the password in a servlet ? Or can I use char[] to get my password ?

Community
  • 1
  • 1
Kramer786
  • 1,238
  • 1
  • 12
  • 26
  • 2
    Not sure what your point is. What exactly are you defending against? If the password safely made it to the server-side, what specific concern are you trying to mitigate? The answer you linked even says that the best you can do is *reduce* the (remote) risk of memory-probing. Up until the point where you call `getParameter` or whatever, the password and all parameters, are represented as Strings. As at the point you're fretting about security, it's probably pointless – kolossus May 01 '15 at 18:33
  • 1
    We send our keystore passwords as Base-64 encoded and encrypted Strings. Whether we use a `String` or a `char[]` is not so important. – Tim Biegeleisen May 01 '15 at 18:34
  • 2
    While this is a security concern against a particular attack, using char[] here won't help you - it will, at best, make the window of opportunity smaller. It's certainly not on the priority list of concerns you should be worried about. – Cubic May 01 '15 at 18:34
  • 1
    Either char[] or String, the password would be visible in request content, if you don't use HTTPS to securely communicate data between client and server. – K139 May 01 '15 at 18:34
  • @kolossus What if the server side memory was somehow dumped ? I believe if I am not mistaken vulnerabilities like HeartBleed would allow us to do this. So if it was a char[] I could overwrite it after the password has been read. Rather than keeping the String object in memory. – Kramer786 May 01 '15 at 18:34
  • 2
    The idea of a eraseable password type is good only as long as you do not have to use any string-processing APIs. As soon as you have to convert it you lose all the advantages. – eckes May 01 '15 at 18:35

0 Answers0