7

Why getText() in JPasswordField was deprecated?

According to this answer for the above question, what I understood was that creating a String object containing the password is a security threat because it may remain in the memory for a while and it is immutable.

So I was wondering,

  • How easy is it to retrieve something which has been hanging around in the memory, without a reference or left out for garbage collection?

  • And how do you do it?

EDIT

As the question has been closed, be kind to share your knowledge by adding a comment, and consider reopening the question if you believe it may get interesting answers in the future. :)

Roshana Pitigala
  • 8,437
  • 8
  • 49
  • 80
  • This comment might be slightly irrelevant, but have you ever used cheat-engine? It lets you examine the address space of another process and read the memory. I'm certain someone could use it to obtain a password hanging around in memory. – byxor Jun 28 '17 at 14:57
  • 2
    [Why is `char[]` preferred over `String` for passwords?](https://stackoverflow.com/questions/8881291/why-is-char-preferred-over-string-for-passwords) - you get a memory dump and look through it and with enough effort you will find it. – luk2302 Jun 28 '17 at 14:58
  • @JarrodRoberson What I'm looking is for a way to get objects left out for garbage collection. Not about security of leaving passwords as string. I posted something about password security as an example, to get a better idea. I think you misunderstood the question. – Roshana Pitigala Jun 28 '17 at 15:18
  • In what way is my comment not sufficient? You will **not** get a complete breakdown on how to do what I describe, that topic fills books. – luk2302 Jun 28 '17 at 16:02
  • 1
    @luk2302 Ohh.. No offence to your comment, in fact it is perfect. The question was closed as duplicate. But that's not what I'm after. I'll post a summarized answer after a few days of research.. :) – Roshana Pitigala Jun 28 '17 at 16:07
  • **so now it is asking for recommendations for resources and discussion which are both blatantly off-topic! as well as being way off-topic: too-broad as well** –  Jun 28 '17 at 19:46

1 Answers1

1

https://en.wikipedia.org/wiki/Heartbleed

This is a good real-world example of things hanging in memory being used for exploitation. There's different ways to do it, so it's good to just make sure things that are valuable aren't being left hanging. Usually these attacks are just guess-and-check. You just keep sending information and piecing together the bits of extra memory you get in return.

J0hn
  • 570
  • 4
  • 19
  • Bear in mind that heartbleed happened in a language where garbage collection wasn't available. – byxor Jun 28 '17 at 14:59
  • @byxor that is true but does not change much since garbage collection does not overwrite "garbage" / no longer used memory. – luk2302 Jun 28 '17 at 15:00
  • Great point. Hopefully this comment thread is food for thought. – byxor Jun 28 '17 at 15:02