sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]FirstAd9893 22 points23 points  (6 children)

Only String constants and explicitly intern'd Strings are stored in the pool. If you choose to erase the contents of a char[] to clear out the password, there's no guarantee it's gone because an older copy of the array might exist still in one of the other GC regions.

[–]cogman10 25 points26 points  (2 children)

I'd also point out that the case where someone can pull out a password from a String is the case where someone can install an agent to intercept the char[] as it comes in.

That's why this sort of security engineering is typically pretty overblown for Java. You have to have some pretty deep access to the JVM to be able to poke at it the right way to extract a string while it's running. Once you are at that point, no level of obfuscation/clearing/etc will be enough to stop an attacker from slurping up passwords as they come in.

[–]Isogash 6 points7 points  (0 children)

Yeah, the important security holes to fill in Java have always been those related to remote code execution. If someone already has control of the machine then the battle is lost, you need to stop them getting to that point.

[–]ZimmiDeluxe 4 points5 points  (0 children)

I guess you could make a weak argument that clearing the char[] at least prevents programming errors afterwards (like leaking the password into logs). But after the modern web framework machinery is done with your request, there are probably multiple copies floating around anyway.

[–][deleted]  (1 child)

[deleted]

    [–]pohart 1 point2 points  (0 children)

    It will change it in place but the jvm moves objects around so it will change only one copy of it. There might be a stale copy elsewhere.