Possible Duplicate:
Why is char[] preferred over string for passwords?
When I was preparing for OCPJP I came accross the topic - "Reading User input from console".
There was an example where it read username in String reference, whereas password in a char[] array, but I couldn't understand why it used char array.. Here is the code : -
Console console = System.console();
String username = console.readLine("User Name? ");
char[] password = console.readPassword("Password? ");
This raised a doubt in my mind.. Why didn't we used String reference to store password. Since Strings are immutable, so it must be more secure to read password in a String, as its content could not be changed for that matter.
So, what's the whole point in reading password in char[] array..
Can anyone shed some light in this matter?
Answer
As you said, strings are immutable, meaning that once you've created the string, if another process can dump memory, there's no way (ok, may with reflection) you can get rid of the data before GC kicks in.
With an array, you can explicitly wipe the data after you're done with it: you can overwrite the array with anything you like, and the password won't be present anywhere in the system, even before garbage collection.
No comments:
Post a Comment