Since Java 1.2, JPasswordField.getText()
has been deprecated "for security reasons", ecouraging usage of getPassword()
method "for stronger securty".
However, I was able to get the password stored in JPasswordField
at least in Oracle JRE 1.7 by analysing the heap dump (JPasswordField instance -> model -> s -> array
).
So how does JPasswordField.getPassword()
helps to protect the password?
Swing's JPasswordField has the getPassword() method that returns a char array.
char[] getPassword() Returns the password as an array of characters. void setEchoChar(char) char getEchoChar() Sets or gets the echo character which is displayed instead of the actual characters typed by the user.
JPasswordField is a lightweight component that allows the editing of a single line of text where the view indicates something was typed, but does not show the original characters. You can find further information and examples in How to Use Text Fields, a section in The Java Tutorial.
Well, the documentation for it states:
For stronger security, it is recommended that the returned character array be cleared after use by setting each character to zero.
But, of course, if you use the getText
method, you get back a String, which is immutable, so you couldn't carry out the same recommendation.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With