1

Recently at work I saw a request to change an interface signature for a method dealing with passwords from String to char[] for Java apps.

That made very little sense to me (as a newbie Java developer) - in C, it was always backwards, with finite length char[] arrays being the source of buffer overflow security issues. Why would String pose a security concern in Java (whereas char[] would not)?

DVK
  • 126,886
  • 32
  • 213
  • 327
  • This has been answered here already: http://stackoverflow.com/questions/8881291/why-is-char-preferred-over-string-for-passwords – logix May 09 '17 at 14:13
  • Check the following thread http://stackoverflow.com/questions/8881291/why-is-char-preferred-over-string-for-passwords – Basil Battikhi May 09 '17 at 14:13
  • 1
    You cannot clear the ``char[]`` that contains the ``String``'s value. Using ``char[]`` directly lets you do that, removing the data from memory. – f1sh May 09 '17 at 14:15

0 Answers0