1

I have stored password in char array and while retriving them back I am calling String.ValueOf(char[] array) method directly . Do this thing will store the formed String in String pool. If yes, How can we store hardcoded passwords more securely without the use of Hashing and encryption techniques?

Example: 

public class TestUser {
   public static void main(String[] args)
   {
      User u1 = new User();

      System.out.println("User Name is "+u1.getUserId());
      System.out.println("Password is "+String.valueOf(u1.getPassword()));

   }
}

Please explain.

Vlad Dekhanov
  • 1,066
  • 1
  • 13
  • 27
Sidhant Bansal
  • 73
  • 1
  • 7
  • 2
    "Do this thing will store the formed String in String pool " No. – Andy Turner May 03 '17 at 07:57
  • 1
    Ideally, your app should have no idea what your users' password are. That call to `ui.getPassword()` should be returning encrypted/garbled characters and not a plain text password. You should be storing only the encrypted passwords. – Tim Biegeleisen May 03 '17 at 07:58
  • @AndyTurner Thanks – Sidhant Bansal May 03 '17 at 08:02
  • 1
    As it is said in [this thread](http://stackoverflow.com/questions/8881291/why-is-char-preferred-over-string-for-passwords), a side-effect of using `char[]` in place of `String`is that you limit the risk of printing your password somewhere in readable format. – Turtle May 03 '17 at 08:02
  • @TimBiegeleisen Acutally , I am trying to use this thing for JDBC connections and the ui.getPassword() method is returing an char array . In my application it is very hectic process to implement encoding techniques. – Sidhant Bansal May 03 '17 at 08:04
  • @AndyTurner Where did you find the info? I foud in the oracle doc that `String.valueOf returns a newly allocated String that represent the array`, so since we initialize it it should end in the String pool? – Turtle May 03 '17 at 08:05
  • @Nathan I have already read that topic , but my concern was that the direct calling of String methods will store the formed String in String pool or in heap . – Sidhant Bansal May 03 '17 at 08:06
  • @Nathan strings don't go into the string pool unless 1) they are compile-time constants; 2) you explicitly call `intern()` on them. – Andy Turner May 03 '17 at 08:07
  • @luk2302 This is not a case where I am storing the passwords of users , this thing I am asking is for only storing hardcoded password just in case of JDBC connections . That's it , it has nothing to do with user passwords . – Sidhant Bansal May 03 '17 at 08:08
  • @AndyTurner Thanks for the precision. – Turtle May 03 '17 at 08:09
  • @AndyTurner Thanks for the appropriate answer. – Sidhant Bansal May 03 '17 at 08:15

1 Answers1

0

The documentation for String.valueOf(char[]) doesn't state that it interns the resulting string, but doesn't state that it doesn't, either. In general, if the method doesn't say it interns the string, I'd feel comfortable assuming it doesn't.

The current implementation in Oracle's JDK does not, it looks like this:

public static String valueOf(char data[]) {
    return new String(data);
}

You could, of course, avoid any ambiguity by using new String(char[]) directly.

That said, ideally, don't use a String at all, since the char[] contents are copied and you can't then overwrite the copy to clear out the password chars when you're done with them (without resorting to reflection). Instead, as soon as you get the char[] from your UI layer, run your password hashing algorithm on it and immediately overwrite the contents of the char[], and then validate the hashed password against the stored copy (e.g., in the DB, etc.).

Just because someone's going to point it out: Printing out the password is probably the larger security concern than whether the password is interned. But this looks like test code... :-)

T.J. Crowder
  • 1,031,962
  • 187
  • 1,923
  • 1,875