Safe way to get password from PasswordField in JavaFX

Question

Is there any way to safely retrieve the password from PasswordField in JavaFX8 so it isn't saved in memory?

Standard option:

String pass = passwordField.getText(); 

isn't enough for me. I'm expecting something like this:

char[] pass = passwordField.getPassword(); 

Answer 1

As with many things, you can achieve this using reflection. And since you're using reflection, it won't be pretty (just look at all those exceptions), but I think this is the only way for now.

public class SafePasswordField extends PasswordField {      public final char[] getPassword() throws NoSuchFieldException, SecurityException, IllegalArgumentException, IllegalAccessException {         Content c = getContent();          Field fld = c.getClass().getDeclaredField("characters");         fld.setAccessible(true);          StringBuilder sb = (StringBuilder) fld.get(c);         char[] result = new char[sb.length()];         sb.getChars(0, sb.length(), result, 0);          return result;     }  } 

The Content returned by getContent() is always instance of javafx.scene.control.TextField$TextFieldContent so it's safe to access characters field.

Answer 2

No matter what the variable type is (String, char[] ...) it will always be stored in memory, until the Garbage Collector picks it up. While I assume it would be a bit difficult, you would have to make a program and read the memory space that contains the variable's data in order to retreive the password. I wouldn't be worried about any eavesdropping if I were you :)