This repository was archived by the owner on Mar 1, 2022. It is now read-only.
This repository was archived by the owner on Mar 1, 2022. It is now read-only.
Do not hold user password in String object, use Char[] instead #84
A cardinal rule of passphrases in Java is: do not hold them in String objects. You have no means of clearing those from memory, as a String is an immutable value.
Instead of String, use Char[] for any sensitive data. When all operations are finished with Char[], it can be overwritten with zero’s or junk text to clear it from memory.
References:
https://nvisium.com/blog/2016/03/31/secure-password-strings.html
https://stackoverflow.com/questions/8881291/why-is-char-preferred-over-string-for-passwords