Groups | Search | Server Info | Keyboard shortcuts | Login | Register

Groups > comp.lang.java.security > #174

Re: passwords, Strings an

From "Lothar Kimmeringer" <lothar.kimmeringer@THRWHITE.remove-dii-this>
Subject Re: passwords, Strings an
Message-ID <1x2nusiozesn.dlg@kimmeringer.de> (permalink)
Newsgroups comp.lang.java.security
References <48c921b5$0$10490$426a74cc@news.free.fr>
Date 2011-04-27 16:08 +0000
Organization TDS.net

Show all headers | View raw

  To: comp.lang.java.security
Fred wrote:

> The problem is that the String that getParameter created is still there 
> ... containing a clear text password. And a memory dump could allow 
> people to read this password.
> 
> My question is : Is there a way to totally discard a String's content 
> from the JVM's memory?

Strings are special in Java and you can't discard them easily
or intentionally.

A common way to handle passwords in cryptographic applications
is the use of character-array where you set the entries to
zero before discarding the reference. Due to the way Java
manages the memory this way still not ensures that there areen't
any copies of the array-values sitting around, but it's better
that the use of Strings where the references are stored in a
specific pool to be able to fulfil the Java-specification where
the following must work:

String a = "hello";
String b = "hello";
assertTrue(a == b);


Best regards, Lothar
-- 
Lothar Kimmeringer                E-Mail: spamfang@kimmeringer.de
               PGP-encrypted mails preferred (Key-ID: 0x8BC3CD81)

Always remember: The answer is forty-two, there can only be wrong
                 questions!

---
 * Synchronet * The Whitehouse BBS --- whitehouse.hulds.com --- check it out free usenet!
--- Synchronet 3.15a-Win32 NewsLink 1.92
Time Warp of the Future BBS - telnet://time.synchro.net:24

Back to comp.lang.java.security | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

passwords, Strings and me "Fred" <fred@THRWHITE.remove-dii-this> - 2011-04-27 16:08 +0000
  Re: passwords, Strings an "Lothar Kimmeringer" <lothar.kimmeringer@THRWHITE.remove-dii-this> - 2011-04-27 16:08 +0000
    Re: passwords, Strings an "Fred" <fred@THRWHITE.remove-dii-this> - 2011-04-27 16:08 +0000
      Re: passwords, Strings an "Lothar Kimmeringer" <lothar.kimmeringer@THRWHITE.remove-dii-this> - 2011-04-27 16:08 +0000
      Re: passwords, Strings an "Wojtek" <wojtek@THRWHITE.remove-dii-this> - 2011-04-27 16:08 +0000
        Re: passwords, Strings an "Lothar Kimmeringer" <lothar.kimmeringer@THRWHITE.remove-dii-this> - 2011-04-27 16:08 +0000
          Re: passwords, Strings an "Wojtek" <wojtek@THRWHITE.remove-dii-this> - 2011-04-27 16:08 +0000
        Re: passwords, Strings an "Fred" <fred@THRWHITE.remove-dii-this> - 2011-04-27 16:08 +0000
          Re: passwords, Strings an "Maarten Bodewes" <maarten.bodewes@THRWHITE.remove-dii-this> - 2011-04-27 16:08 +0000

csiph-web