Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What are the security reasons for JPasswordField.getPassword()?

Since Java 1.2, JPasswordField.getText() has been deprecated "for security reasons", ecouraging usage of getPassword() method "for stronger securty".

However, I was able to get the password stored in JPasswordField at least in Oracle JRE 1.7 by analysing the heap dump (JPasswordField instance -> model -> s -> array).

So how does JPasswordField.getPassword() helps to protect the password?

like image 712
Alex Abdugafarov Avatar asked Jan 06 '12 11:01

Alex Abdugafarov


People also ask

What is the type of value that will be returned from getPassword () method?

Swing's JPasswordField has the getPassword() method that returns a char array.

What is getPassword in Java?

char[] getPassword() Returns the password as an array of characters. void setEchoChar(char) char getEchoChar() Sets or gets the echo character which is displayed instead of the actual characters typed by the user.

What is j password field in Java?

JPasswordField is a lightweight component that allows the editing of a single line of text where the view indicates something was typed, but does not show the original characters. You can find further information and examples in How to Use Text Fields, a section in The Java Tutorial.


1 Answers

Well, the documentation for it states:

For stronger security, it is recommended that the returned character array be cleared after use by setting each character to zero.

But, of course, if you use the getText method, you get back a String, which is immutable, so you couldn't carry out the same recommendation.

like image 116
Damien_The_Unbeliever Avatar answered Oct 06 '22 23:10

Damien_The_Unbeliever