3

Whilst handling passwords in Java, its my understanding that they should always be handled in char[]'s to allow GC and remove hanging references.

My question is would, 

char[] password = String.valueOf(authentication.getCredentials()).toCharArray();

Could the value of authentication.getCredentials() to be interned or not?

Jacob Cartledge
  • 55
  • 6
  • Where did you hear this "passwords should always be handled as `char[]`"? – Kayaman Sep 30 '15 at 08:43
  • 1
    @Kayaman - Umm. in java they should. Because if a malacious program gains access to memory area of String constants pool, then an interned String could cause problems. `char[]` is safer in the sense it always goes on heap and we just don't know what it represents (which might also be the case with strings) and will get GCed easily – TheLostMind Sep 30 '15 at 08:48
  • @Kayaman I guest read. http://stackoverflow.com/questions/8881291/why-is-char-preferred-over-string-for-passwords-in-java – Vishrant Sep 30 '15 at 08:50
  • @TheLostMind But the "problem" here is `interned`. It sounds like Java would be interning Strings all over the place, which it doesn't. I can understand the wiping of the `char[]`, not the "you never know when a String is interned". – Kayaman Sep 30 '15 at 08:52
  • 2
    @Vishrant That's just Jon Skeet, what does he know ;) – Kayaman Sep 30 '15 at 08:53
  • @Kayaman - I get your point. A String that is not interned could *conceptually* be *safe enough*. But then again, there is nothing stopping you from interning it. :) – TheLostMind Sep 30 '15 at 08:54

2 Answers2

2

String.valueOf() doesn't intern Strings. The only way to intern Strings during runtime is with password.intern(). There's no need to use char[] for passwords. Using char[] allows you to clear the array directly after use, narrowing the attacker's timeframe to dump the memory and retrieve the plaintext password.

A String by itself is nothing special to the GC. Interning affects it a bit, but in regular use you wouldn't encounter anything out of the ordinary.

Kayaman
  • 72,141
  • 5
  • 83
  • 121
  • Ah ok, thanks @Kayaman. I took the char[] from this [post](http://stackoverflow.com/questions/12937641/handling-passwords-used-for-auth-in-source-code). I also had the understanding that all strings in java were interned, but i now believe this is only the case for string literals? – Jacob Cartledge Sep 30 '15 at 08:54
  • 1
    @JacobCartledge - String literals and explicit calls to `intern()` :) – TheLostMind Sep 30 '15 at 08:56
2

It's not a question of interning the String, any security concerns around using Strings to store passwords arise from the amount of time they are present in memory.

With a char array you have the ability to wipe the contents once you've finished reading them. With a String (which is immutable) you're left relying on the garbage collector, this means that if someone has access to your server and dumps the memory there may be password visible.

StuPointerException
  • 7,117
  • 5
  • 29
  • 54
  • 1
    Ah, so that's the reason for "use `char[]` for passwords". – Kayaman Sep 30 '15 at 08:48
  • So the above usage of char[] then set to null would be fine? – Jacob Cartledge Sep 30 '15 at 08:57
  • 2
    @JacobCartledge No, clearing the contents of the `char[]` to zero or anything really is what matters. Setting it to null will just keep it around in memory, waiting for the GC to pick it up (which is exactly what happens with `String`). – Kayaman Sep 30 '15 at 09:45