Interning of String.valueOf()

Question

Whilst handling passwords in Java, its my understanding that they should always be handled in char[]'s to allow GC and remove hanging references.

My question is would,

char[] password = String.valueOf(authentication.getCredentials()).toCharArray();

Could the value of authentication.getCredentials() to be interned or not?

Answer 1

String.valueOf() doesn't intern Strings. The only way to intern Strings during runtime is with password.intern(). There's no need to use char[] for passwords. Using char[] allows you to clear the array directly after use, narrowing the attacker's timeframe to dump the memory and retrieve the plaintext password.

A String by itself is nothing special to the GC. Interning affects it a bit, but in regular use you wouldn't encounter anything out of the ordinary.

Answer 2

It's not a question of interning the String, any security concerns around using Strings to store passwords arise from the amount of time they are present in memory.

With a char array you have the ability to wipe the contents once you've finished reading them. With a String (which is immutable) you're left relying on the garbage collector, this means that if someone has access to your server and dumps the memory there may be password visible.