Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.java.security > #174

Re: passwords, Strings an

Path csiph.com!x330-a1.tempe.blueboxinc.net!feeder1.hal-mli.net!nx01.iad01.newshosting.com!newshosting.com!news-out.readnews.com!transit3.readnews.com!news-out.news.tds.net!newsreading01.news.tds.net!86597e80!not-for-mail
From "Lothar Kimmeringer" <lothar.kimmeringer@THRWHITE.remove-dii-this>
Subject Re: passwords, Strings an
Message-ID <1x2nusiozesn.dlg@kimmeringer.de> (permalink)
X-Comment-To comp.lang.java.security
Newsgroups comp.lang.java.security
In-Reply-To <48c921b5$0$10490$426a74cc@news.free.fr>
References <48c921b5$0$10490$426a74cc@news.free.fr>
Content-Type text/plain; charset=IBM437
Content-Transfer-Encoding 8bit
X-Gateway time.synchro.net [Synchronet 3.15a-Win32 NewsLink 1.92]
Lines 39
Date Wed, 27 Apr 2011 16:08:34 GMT
NNTP-Posting-Host 96.60.20.240
X-Complaints-To news@tds.net
X-Trace newsreading01.news.tds.net 1303920514 96.60.20.240 (Wed, 27 Apr 2011 11:08:34 CDT)
NNTP-Posting-Date Wed, 27 Apr 2011 11:08:34 CDT
Organization TDS.net
Xref x330-a1.tempe.blueboxinc.net comp.lang.java.security:174

Show key headers only | View raw

  To: comp.lang.java.security
Fred wrote:

> The problem is that the String that getParameter created is still there 
> ... containing a clear text password. And a memory dump could allow 
> people to read this password.
> 
> My question is : Is there a way to totally discard a String's content 
> from the JVM's memory?

Strings are special in Java and you can't discard them easily
or intentionally.

A common way to handle passwords in cryptographic applications
is the use of character-array where you set the entries to
zero before discarding the reference. Due to the way Java
manages the memory this way still not ensures that there areen't
any copies of the array-values sitting around, but it's better
that the use of Strings where the references are stored in a
specific pool to be able to fulfil the Java-specification where
the following must work:

String a = "hello";
String b = "hello";
assertTrue(a == b);


Best regards, Lothar
-- 
Lothar Kimmeringer                E-Mail: spamfang@kimmeringer.de
               PGP-encrypted mails preferred (Key-ID: 0x8BC3CD81)

Always remember: The answer is forty-two, there can only be wrong
                 questions!

---
 * Synchronet * The Whitehouse BBS --- whitehouse.hulds.com --- check it out free usenet!
--- Synchronet 3.15a-Win32 NewsLink 1.92
Time Warp of the Future BBS - telnet://time.synchro.net:24

Back to comp.lang.java.security | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

passwords, Strings and me "Fred" <fred@THRWHITE.remove-dii-this> - 2011-04-27 16:08 +0000
  Re: passwords, Strings an "Lothar Kimmeringer" <lothar.kimmeringer@THRWHITE.remove-dii-this> - 2011-04-27 16:08 +0000
    Re: passwords, Strings an "Fred" <fred@THRWHITE.remove-dii-this> - 2011-04-27 16:08 +0000
      Re: passwords, Strings an "Lothar Kimmeringer" <lothar.kimmeringer@THRWHITE.remove-dii-this> - 2011-04-27 16:08 +0000
      Re: passwords, Strings an "Wojtek" <wojtek@THRWHITE.remove-dii-this> - 2011-04-27 16:08 +0000
        Re: passwords, Strings an "Lothar Kimmeringer" <lothar.kimmeringer@THRWHITE.remove-dii-this> - 2011-04-27 16:08 +0000
          Re: passwords, Strings an "Wojtek" <wojtek@THRWHITE.remove-dii-this> - 2011-04-27 16:08 +0000
        Re: passwords, Strings an "Fred" <fred@THRWHITE.remove-dii-this> - 2011-04-27 16:08 +0000
          Re: passwords, Strings an "Maarten Bodewes" <maarten.bodewes@THRWHITE.remove-dii-this> - 2011-04-27 16:08 +0000

csiph-web