Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why is char[] preferred over String for passwords?

In Swing, the password field has a getPassword() (returns char[]) method instead of the usual getText() (returns String) method. Similarly, I have come across a suggestion not to use String to handle passwords.

Why does String pose a threat to security when it comes to passwords? It feels inconvenient to use char[].

like image 843
Ahamed Avatar asked Jan 16 '12 14:01

Ahamed


People also ask

Which is better char array or String?

A char array is harder to manage than a string and certain functions may only accept a string as input, requiring you to convert the array to a string. It's better to use strings, they were made so that you don't have to use arrays. If arrays were objectively better we wouldn't have strings.

Why String is not used for password in Java?

Strings are immutable: Strings are immutable in Java and therefore if a password is stored as plain text it will be available in memory until Garbage collector clears it and as Strings are used in the String pool for re-usability there are high chances that it will remain in memory for long duration, which is a ...

Why do we use String array instead of char array?

Character ArraysStrings are immutable. Character Arrays are mutable. Built in functions like substring(), charAt() etc can be used on Strings. No built in functions are provided in Java for operations on Character Arrays.

Can we use String for password?

Strings Are Immutable Therefore, the password stored in a String will be available in memory until Garbage Collector clears it. We cannot control when it happens, but this period can be significantly longer than for regular objects since Strings are kept in a String Pool for re-usability purpose.


2 Answers

Strings are immutable. That means once you've created the String, if another process can dump memory, there's no way (aside from reflection) you can get rid of the data before garbage collection kicks in.

With an array, you can explicitly wipe the data after you're done with it. You can overwrite the array with anything you like, and the password won't be present anywhere in the system, even before garbage collection.

So yes, this is a security concern - but even using char[] only reduces the window of opportunity for an attacker, and it's only for this specific type of attack.

As noted in the comments, it's possible that arrays being moved by the garbage collector will leave stray copies of the data in memory. I believe this is implementation-specific - the garbage collector may clear all memory as it goes, to avoid this sort of thing. Even if it does, there's still the time during which the char[] contains the actual characters as an attack window.

like image 113
Jon Skeet Avatar answered Oct 17 '22 21:10

Jon Skeet


While other suggestions here seem valid, there is one other good reason. With plain String you have much higher chances of accidentally printing the password to logs, monitors or some other insecure place. char[] is less vulnerable.

Consider this:

public static void main(String[] args) {     Object pw = "Password";     System.out.println("String: " + pw);      pw = "Password".toCharArray();     System.out.println("Array: " + pw); } 

Prints:

String: Password Array: [C@5829428e 
like image 21
Konrad Garus Avatar answered Oct 17 '22 19:10

Konrad Garus