0

This is asked in one of my interviews:

In Java what object or container is used to store sensitive information?

When I searched I got this link Why is char[] preferred over String for passwords?

So is character array is the right answer to this question?

learner
  • 6,062
  • 14
  • 79
  • 139
  • 3
    The question doesn't make a lot of sense. What do they mean by "container", "store" and "sensitive". A `char[]` is the correct answer in some cases, not others. – Stephen C Jan 13 '18 at 06:54
  • I'm voting to close this question as off-topic because we can't know what the interviewers were hoping to hear. – Kayaman Jan 13 '18 at 08:26

3 Answers3

1

It could be that the interviewer was after KeyStore, but a more general answer would be SealedObject.

The answer about char only applies as against String, because you can wipe a char but not a String.

user207421
  • 305,947
  • 44
  • 307
  • 483
0

If I had to hazard a guess, it would likely be the KeyStore class. If you do anything with a signed web certificate (like serve HTTPS in Spring Boot or use Tomcat to serve HTTPS traffic), or need to have some encrypted credentials in-situ in your application, this is the class one typically uses.

Character arrays are great in that they're not as vulnerable to pre-garbage collection attacks, but there's no inherent encryption or security to those by default.

Makoto
  • 104,088
  • 27
  • 192
  • 230
  • I see that `KeyStore` is used to store the SSL ceritificates, is there a way to store for example an employee credit card details securely with this class, I tried to find a example but every I see only example related to certitifcates. – learner Jan 14 '18 at 04:38
  • No it isn't. It is only usable for keys or certificates. Not arbitrary data. – user207421 Jan 14 '18 at 07:19
-2

Unfortunately, your question ultimately lacks both clarity and context for the question that'd been asked of you, but I'll make the default assumption and go with "a private member" as the most likely desired answer. So: no, I suspect answering with "a character array" may have even raised an eyebrow IF you did not follow up with the specifically recommended use case for char[]s. That use case only has to do with explicitly obfuscating data in memory when you are done with that value and no other inherent protections while you need the value in memory.

wolcen
  • 51
  • 5
  • 1
    Considering that `private` is a keyword, and there's no inherent encryption or protection around an instance, I'm going to have to **categorically** disagree with you here... – Makoto Jan 13 '18 at 07:14
  • I completely understand that disagreement, but wanted to point out that my answer was also "a hazard at a guess". There's no real indication of what "sensitive" means, nor at what level it is being hidden from something. I would probably strive for an answer similar to yours (if I'd known a common Java class for it, anyway) when interviewing for a development leadership position at a financial institution. I was clearly thinking more along the lines of an entry level position. Perhaps I'd not be qualified for either! LOL. Thanks for the feedback. – wolcen Jan 13 '18 at 07:37
  • 1
    The question asks for what "object or container". The keyword `private` has nothing to do with that. – NickL Jan 13 '18 at 18:21