15

I have a problem with storing a plain password in memory as a String. According to the reference, since Strings are immutable there is a vulnerability of using String data type for sensitive data storing in memory.

https://www.geeksforgeeks.org/use-char-array-string-storing-passwords-java/

Why is char[] preferred over String for passwords?

Can I overcome this security issue by nullifying the string variable instead of using char array or String buffer/builder.

eg : String password="password"; password = null;

Sudesh Chandana
  • 153
  • 5
  • 1
    your password should be a char array – ΦXocę 웃 Пepeúpa ツ Mar 13 '18 at 06:15
  • 1
    Use byte array? – Lyju I Edwinson Mar 13 '18 at 06:16
  • 1
    you cannot solve the issue by nullifying the string variable as it will not remove that string object from String Constant Pool you're just assigning null 'password' not removing actual password from memory.. – DhaRmvEEr siNgh Mar 13 '18 at 06:23
  • 1
    Nulling out a string will surely help with memory leaks, But still, the String will be present in Java String pool, Though You cannot access the String pool since it is maintained privately by java. Its better To use byte array or Char array and also apply suitable encryption in case you want to make the things extra secure. – Amit Kumar Lal Mar 13 '18 at 06:31

2 Answers2

11

No. Nullifying a string would only delink the reference. But the value will still exist in string pool. Because to conserve memory, string values are retained in the string pool.

Any potential hacker, can retrieve the value by gaining access to the string pool.

Whereas, using char[], you can simply treat that object as any other object. And nullifying the char object will wipe off the data from heap at the time of garbage collection.

An even better option will be using a byte array.

Read more about String Constant pool.

tryingToLearn
  • 10,691
  • 12
  • 80
  • 114
  • Thank you for your answer. But I have another concern **If we call garbage collector forcefully after nullifying can it be remains in memory.?** – Sudesh Chandana Mar 13 '18 at 06:35
  • 2
    Yes. Garbage collector does not run on String pool in the same way as it does on other objects. See https://stackoverflow.com/a/18407081/2458858 for more understanding. – tryingToLearn Mar 13 '18 at 06:39
  • 3
    But the value will only go in the String pool if it's a literal or it was `intern()`ed. It's more about controlling the lifetime of the password in memory. The suggestion to use `char[]` is correct, but you need to blank out the `char[]` after use, it's not enough to set it to null. – Kayaman Mar 13 '18 at 07:26
3

If you want absolute security, no. Nulling out the String is not the right solution.

The reason for this is that nulling it out makes no guarantees about the String no longer being available. Although it may make it more likely to be garbage collected (and this is only a 'may'), there are no guarantees about when (or even if) it will be garbage collected.

You should use either a byte array, or a char array, and then null each of the elements in the array when you are done.

chamakits
  • 1,865
  • 1
  • 17
  • 26
  • **Although it may make it more likely to be garbage collected (and this is only a 'may'), there are no guarantees about when (or even if) it will be garbage collected.** After nullifying if we call garbage collector forcefully can it be remains in memory.? – Sudesh Chandana Mar 13 '18 at 06:35
  • 1
    @Sudesh you can't forcefully garbage collect. (`System.gc()` merely hints that you'd like a GC, there is no guarantee it does anything). – Andy Turner Mar 13 '18 at 07:18