In Java, it is better to save a password using a character array than to save the password using string.
Two reasons:
- It is difficult to purge from memory.
String is a non-mutable object that is placed in a string buffer to facilitate reuse, so it may be retained in memory for a long time.
Any person with access to the memory can easily see the plaintext password
Of course, the plaintext password should not be used at all.
- Java provides the GetPassword () method of the JPasswordField component
This is specially prepared for the password, don't you? Don't be lazy.
- At a time you don't know, it could be leaked somewhere else.
such as the log. May 2018 Twitter Hundreds of millions of user plaintext password disclosure (see here: 330 million user password suspect, Twitter a major security vulnerability), is an example
Using character arrays to save passwords is better than saving passwords using string