0

We all have been told to always use char[] instead of java.lang.String to handle plain text passwords in Java applications. Due to the immutable nature of java.lang.String that allows attackers to take a heap snapshot (before GC kicked in) and read the passwords from that snapshot.

Now I'm surprised to see spring-security using String to transfer passwords. E.g. in UserDetails.

Is this a security issue? And if no, why not? If yes, how can I safely use spring-security without revealing passwords in the Java heap or at least minimizing the risk of revealing them?

See Why is char[] preferred over String for passwords?

dpr
  • 10,591
  • 3
  • 41
  • 71
  • 1
    If I take a heap snapshot and you have passwords stored in a `char[]` I can grab them too. Using `char[]` is what we call "security through obscurity". It's "security theater". Look! We care about security. They don't! But if I have control of the machine, I can read anything in your user level application at any time (without you, as a user, knowing). – Elliott Frisch Nov 20 '18 at 17:08
  • @ElliottFrisch, sure I can read `char[]` contents from a heap dump as well. To my understanding the best practice should be to clear the `char[]` after you're finished with handling the password. To minimize the possibilities of such attacks. But with `String` you can't clear anything and have to wait for the GC to free the memory. – dpr Nov 20 '18 at 17:11
  • https://stackoverflow.com/a/18407081/2970947 Meh. If you want to go back to explicit memory management, use C or C++. – Elliott Frisch Nov 20 '18 at 17:15

0 Answers0