Password security in Java - Converting char[] to String

Question

I am trying to build an unofficial api for a website. It will require the user to log in, and the password will be read from the console using the standard Console.readPassword() method. Now, this gives me a char array, but I have to send the password through a POST request using the HttpPost class in Apache's HttpClient library. For this, a String is required, but conversion of the password to String will create a security risk. What can I do?

Edit : I know how to convert a char array to string. The problem is that Strings are immutable and since you cannot delete objects explicitly in Java, the password will be left in the memory.

I feel like this question would be better suited to https://security.stackexchange.com — Glen Pierce, Apr 02 '17 at 23:24

TheGreatContini · Accepted Answer · 2017-04-03T21:46:16.727

The security people will tell you of wonderful secure string concepts in languages in order to protect against heap inspection.

I used to be a believer of this, not any more. It's worth noting that the .Net equivalent, SecureString, is being phased out -- you only need to watch about 10 minutes of this wonderful youtube video to see why. The concept sounds wonderful, until you have to actually do something with the data, and then most likely you cannot keep it secure anymore (as in your case -- you need to use the Apache library). Also, on many platforms, the key to encrypt the string is in the same memory space as the string itself, so it really is more obfuscation than security. See also Security Stack Exchange discussion.

Bottom line: this is an inherent problem in the language and there's not much you can do to protect against it.

Very interesting. Thanks for the answer! – Apr 04 '17 at 03:18 — , Apr 04 '17 at 03:18

score 1 · Answer 2 · answered Jun 01 '18 at 00:24

If what you mean is you want to use the password in HTTP "Basic" authentication, then from version 5.0 onwards, Apace HTTP's UsernamePasswordCredentials supports passing char[].

If instead you mean you want to pass the password in the body of an HttpPost, which is to say that it must be inside the HttpEntity, HttpEntity is an interface, and you could theoretically implement #getContent() and #writeTo(OutputStream) however you want, including keeping the password as a char array the entire time. Be careful about encoding though, because converting a char[] to byte[] without someone leaking a copy of it is non-trivial.

score 0 · Answer 3 · edited May 23 '17 at 12:09

0

What I would suggest would be to hash the input user's password on the client-side and send the hash to the server, as storing plain-text passwords on the server-side is a security risk in the first place. This answer lays out the entire method of hashing passwords in java and then authenticating the password with the hash stored on the server when a user logs in.

edited May 23 '17 at 12:09

Community

1
1

answered Apr 02 '17 at 23:30

HyperCell

60
1
8

I do not have access to the server code. It's a regular website which accepts login information through https. – Apr 03 '17 at 12:10
While the concept of client-side hashing is one I think we should be adopting, achieving security by this idea is easier said than done. For example, pass-the-hash attacks will still work unless you do an additional hash on the server side. More info about complexities [here](https://eprint.iacr.org/2015/387.pdf). – TheGreatContini Apr 03 '17 at 21:04

Cardinal System · Answer 4 · 2017-04-04T00:56:05.287

0

Use String.valueOf();:

String str = String.valueOf(Console.readPassword());

edited Apr 04 '17 at 00:56

answered Apr 03 '17 at 09:26

Cardinal System

2,749
3
21
42

Password security in Java - Converting char[] to String

4 Answers4