What are the security reasons for JPasswordField.getPassword()?

Question

Since Java 1.2, JPasswordField.getText() has been deprecated "for security reasons", ecouraging usage of getPassword() method "for stronger securty".

However, I was able to get the password stored in JPasswordField at least in Oracle JRE 1.7 by analysing the heap dump (JPasswordField instance -> model -> s -> array).

So how does JPasswordField.getPassword() helps to protect the password?

score 3 · Accepted Answer · answered Jan 06 '12 at 11:42

3

Well, the documentation for it states:

For stronger security, it is recommended that the returned character array be cleared after use by setting each character to zero.

But, of course, if you use the getText method, you get back a String, which is immutable, so you couldn't carry out the same recommendation.

answered Jan 06 '12 at 11:42

Damien_The_Unbeliever

234,701
27
340
448

There still is a char array stored in `JPasswordField` itself, so why bother? – Alex Abdugafarov Jan 06 '12 at 11:44
A character array can be cleared immediately. A `String` can be garbage collected at some indeterminate time in the future. – trashgod Jan 06 '12 at 13:08
You mean, I need to clear the JPasswordField content immediately after using? – Alex Abdugafarov Jan 06 '12 at 18:39
@FrozenSpider - that's the recommendation. I'm not able to check at the moment - is the array returned by `getPassword` the internal array you've been looking at, or a copy? – Damien_The_Unbeliever Jan 06 '12 at 19:57
@Damien_The_Unbeliever returned array is a copy created via `System.arraycopy(...)`, so it seems that we need to clear both - one directly, and one via `setText(null)`. – Alex Abdugafarov Jan 06 '12 at 20:43

score 2 · Answer 2 · answered Jul 17 '13 at 15:47

The answer is simple. Here is a pragmatic approach that explains the difference between getPassword() and getText()

JPasswordField jt=new JPasswordField("I am a password");
System.out.println("The text is "+jt.getText());
System.out.println("The password is "+jt.getPassword());

Output

I am a password
[C@1e4a47e

The getPassword() method returns the password as char[] whereas the getText() returns the password as plain text i.e. in the form of String.

However, if you do print like this,

System.out.println(new String(jt.getPassword()));

This is much equal to getText() in JPasswordField. However this does not mean that getPassword() uses the getText() internally and then convert it into char array.

The getPassword() method uses the non-string API i.e. the Segment. However, Segment is again immutable, but the getPassword() method brings the char array from the Segment and returns it.

However as String is immutable and char[] is not, a char[] is considered quite secure because it can be wiped out.

Manikandan Sigamani · Answer 3 · 2012-01-06T11:58:28.373

1

Security note though getPassword() uses getText() internally

Although the JPasswordField class inherits the getText method, you should use the getPassword method instead. Not only is getText less secure, but in the future it might return the visible string (for example, "**") instead of the typed string.

To further enhance security, once you are finished with the character array returned by the getPassword method, you should set each of its elements to zero.

edited Jan 06 '12 at 11:58

answered Jan 06 '12 at 11:44

Manikandan Sigamani

1,964
1
15
28

2

Thanks for copy-pasting http://stackoverflow.com/a/984063/466646 , yes. And it's not an answer anyway, see my comment to @Damien_The_Unbeliever's answer. – Alex Abdugafarov Jan 06 '12 at 11:46
@FrozenSpider Changed the answer - – Manikandan Sigamani Jan 06 '12 at 12:00

What are the security reasons for JPasswordField.getPassword()?

3 Answers3