Reprint: http://my.oschina.net/jasonultimate/blog/166968
1) since strings is immutable in java if You store password as plain text it'll be available in& Nbsp;memory until Garbage collector clears it and since string are used in String pool for Reusability there is pretty high chance that it'll be remain in memory for long duration, which pose A security threat. Since any one who have access to memory dump can find the password in clear text and that's another reason you sh Ould always used an encrypted password than plain text. Since Strings is immutable there is no-it contents of Strings can be changed because any change would produce new St Ring, while if you char[] You can still set all His element as blank or zero. So storing password in character array clearly mitigates security risk of stealing password.
1) Because string is immutable in Java, if you save the password in plaintext as a string, it will remain in memory until the garbage collector clears it. And because strings are placed in the string buffer pool for easy reuse, it can be kept in memory for a long time, which leads to a security risk because anyone with access to the memory dump memory dump can clearly see the password in the text, That's why you should always use encrypted forms instead of plaintext to save passwords. Since the string is immutable, there is no way to modify the value of the string, because each modification will result in a new string, but if you use char[] to save the password, you can still set all of the elements to null or zero. So saving the password to a character array obviously reduces the risk of password theft.
2) Java itself recommends using GetPassword () method of JPasswordField which returns a char[] and deprecated GetText () met Hod which returns password in clear text stating security reason. Its good-follow advice from Java team and adhering to standard rather than going against it.
2)Java itself also recommends the use of the JPasswordField component's GetPassword () method, which returns an array of characters and discards the original GetText () method. This method returns the password as plaintext and may cause security problems. So it's best to listen to the suggestions from the Java team and stick to the standard, not against it.
3) with String There are always a risk of printing plain the text in log file or console but if use Array you won ' t print Conte NTS of array instead its memory location get printed. Though not a real reason but still make sense.
3) using strings, there is a risk of outputting text to a log file or console. But using arrays you do not print the contents of the array, but instead print out the array's position in memory. Although this is not a real reason, it still has a lot of meaning.
String strpassword= "Unknown";
Char[] charpassword= new char[]{' U ', ' n ', ' K ', ' w ', ' o ', ' n '};
System.out.println ("String Password:" + strpassword);
System.out.println ("Character Password:" + Charpassword);
String Password:unknown
Character password: [[email protected]
That's all on what character array is better choice than String for storing passwords in Java. Though using char[] is a just enough you need to erase content to be more secure. I also suggest working with hash ' d or encrypted password instead of plain text and clearing it from memory as soon as Auth Entication is completed.
This is all about why using character arrays to store passwords is better than strings. It is not enough to use only character arrays, and to be more secure you need to convert the contents of the array. I also recommend using a hashed or encrypted password instead of plaintext, and then erase it from memory once the validation is complete.
Java standard-passwords are used in arrays more secure than strings