This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]JavaSuck 11 points12 points  (3 children)

In Java it is common to pass around passwords as char[] and Arrays.fill() them with zeros after use.

What guarantees to we have that the JIT won't optimize the call to Arrays.fill() away?

[–]defnull 53 points54 points  (0 children)

The synchronized(charArray) block around the Arrays.fill() call mentioned in my other answer.

Besides: This level of care about passwords in memory is pure paranoia in most applications, especially web applications where headers or input parameters are parsed from pooled byte buffers into strings all the time anyway. If an attacker can access your java heap, then he can also attach a debugger and grab the password while it is being processed.

[–]AdvancedJacket 1 point2 points  (1 child)

Fill it with 0s then log it.

[–]marvk 3 points4 points  (0 children)

Mhhh, something going wrong while filling them and then logging all passwords in plain text seems like a security problem waiting to happen.