0

We have a security recommendation to use char array instead of String while storing password and later clear the char array. But the problem is, some of the jars accept string as an argument.

For Example, org.apache.http.auth.UsernamePasswordCredentials needs two string arguments; One for password and one for username. Now, how do I call this function without creating a string for password

httpClient.getCredentialsProvider().setCredentials(
                new AuthScope(AuthScope.ANY_HOST, AuthScope.ANY_PORT),
                new UsernamePasswordCredentials(user.getUsername(), new String(user
                        .getPassword())));

How do I resolve this. Is there any way where i can store the password. I understand that String is immutable and it is not recommended to store passwords in String. So what is the alternate I can do

Madhan
  • 17
  • 6
  • If the argument is a String then you need to pass a String, exactly what is it you are asking? Just because you must store something as an char array doesn't mean you can convert it into a String while in memory or? – Joakim Danielson Sep 24 '19 at 06:45
  • 3
    Forget the char array, visit: [When will a string be garbage collected in java](https://stackoverflow.com/questions/18406703/when-will-a-string-be-garbage-collected-in-java) – Aniket Sahrawat Sep 24 '19 at 06:45

1 Answers1

0

So the reason the security recommendation is to store the password as a character array is because, unlike arrays, Strings are immutable. This basically means once you've created the String it's in memory, even if you overwrote it, until such time that the garbage collection removes it. This means that a another process can dump memory (before the GC runs) and potentially get your password. With Arrays on the other hand you can go and specifically overwrite the array and no other process will be able to get it.

With an array, you can explicitly wipe the data after you're done with it. You can overwrite the array with anything you like, and the password won't be present anywhere in the system, even before garbage collection.

Had a look at org.apache.http.auth.UsernamePasswordCredentials and the UsernamePasswordCredentials only supports String. So potentially I would just store the password as a char array as per your security recommendation and then just convert it to String when calling this class. Then if you that paranoid, dispose the class once your done with it and immediately run the GC (this may run up your memory usage).

Also, if security is such a serious concern then your administrators should look at other alternatives, such as disabling core dumps.

Ambro-r
  • 919
  • 1
  • 4
  • 14
  • @Madhan, did this answer your question? If it did, please check the empty check mark on the left. – Ambro-r Sep 26 '19 at 06:14