Path: csiph.com!x330-a1.tempe.blueboxinc.net!feeder1.hal-mli.net!nx01.iad01.newshosting.com!newshosting.com!news-out.readnews.com!transit3.readnews.com!news-out.news.tds.net!newsreading01.news.tds.net!86597e80!not-for-mail From: "Lothar Kimmeringer" Subject: Re: passwords, Strings an Message-ID: <1x2nusiozesn.dlg@kimmeringer.de> X-Comment-To: comp.lang.java.security Newsgroups: comp.lang.java.security In-Reply-To: <48c921b5$0$10490$426a74cc@news.free.fr> References: <48c921b5$0$10490$426a74cc@news.free.fr> Content-Type: text/plain; charset=IBM437 Content-Transfer-Encoding: 8bit X-Gateway: time.synchro.net [Synchronet 3.15a-Win32 NewsLink 1.92] Lines: 39 Date: Wed, 27 Apr 2011 16:08:34 GMT NNTP-Posting-Host: 96.60.20.240 X-Complaints-To: news@tds.net X-Trace: newsreading01.news.tds.net 1303920514 96.60.20.240 (Wed, 27 Apr 2011 11:08:34 CDT) NNTP-Posting-Date: Wed, 27 Apr 2011 11:08:34 CDT Organization: TDS.net Xref: x330-a1.tempe.blueboxinc.net comp.lang.java.security:174 To: comp.lang.java.security Fred wrote: > The problem is that the String that getParameter created is still there > ... containing a clear text password. And a memory dump could allow > people to read this password. > > My question is : Is there a way to totally discard a String's content > from the JVM's memory? Strings are special in Java and you can't discard them easily or intentionally. A common way to handle passwords in cryptographic applications is the use of character-array where you set the entries to zero before discarding the reference. Due to the way Java manages the memory this way still not ensures that there areen't any copies of the array-values sitting around, but it's better that the use of Strings where the references are stored in a specific pool to be able to fulfil the Java-specification where the following must work: String a = "hello"; String b = "hello"; assertTrue(a == b); Best regards, Lothar -- Lothar Kimmeringer E-Mail: spamfang@kimmeringer.de PGP-encrypted mails preferred (Key-ID: 0x8BC3CD81) Always remember: The answer is forty-two, there can only be wrong questions! --- * Synchronet * The Whitehouse BBS --- whitehouse.hulds.com --- check it out free usenet! --- Synchronet 3.15a-Win32 NewsLink 1.92 Time Warp of the Future BBS - telnet://time.synchro.net:24