1

In my application password is storing in String & fortify is complainng about this.

Remediation says that "stores sensitive data in a String object, making it impossible to reliably purge the data from memory"

Could anyone help me on this.

Do I need to store password in Char[] anything which are not immutable & how can I do ?

This encrypt function is called from number of place in my application 

public static void main(String[] args)
    { 
        System.out.println(Accessible.encrypt("ABCD"));
    }

    public final static String encrypt(String plaintext)
    {
        StringBuilder pwd = new StringBuilder();
        pwd.append(plaintext);
        return new String(pwd.toString().getBytes());
    }
ashishl
  • 201
  • 5
  • 12
  • 1
    look at http://stackoverflow.com/questions/8881291/why-is-char-preferred-over-string-for-passwords-in-java your question has been asked several times before :) – steelshark Sep 08 '16 at 12:56
  • Thanks. If I m working on Web application then from UI then I will get the password in string.. then do I need to change in after I got the String as password to char[] – ashishl Sep 08 '16 at 13:10
  • unfortunatly I have no solution for that. If this is really a big concern for you I would look into Oauth. Let a 3th party handle to identifcation for you so you only need to work with the tokens afterwards – steelshark Sep 08 '16 at 22:29

0 Answers0