[prev in list] [next in list] [prev in thread] [next in thread] 

List:       secprog
Subject:    Re: Doubt in Security basics
From:       Roland Illig <roland.illig () gmx ! de>
Date:       2005-02-15 16:42:06
Message-ID: 4212265E.8050209 () gmx ! de
[Download RAW message or body]

Babu Kopparam wrote:
> 
> Hi! List,
> 
> Probably i feel this doubt is related with basic knowledge.
> 
> Whenever capturing the password, char[] is used instead of String object. What purpose does this solve.
>   ---  I am referring to JAVA.

It seems to me that it's a matter of who controls the password. When you 
use java.lang.String for passwords, you never know where the string 
containing the password is saved, and when the password will be erased.

Using a char[] allows you to erase the password after use:

for (int i = 0; i < password.length; i++)
     password[i] = 'X';

In that case you just need no make sure that the char[] is never given 
to any other function which could copy the password out of the "safe" 
storage.

Roland
[prev in list] [next in list] [prev in thread] [next in thread]