This week's book giveaway is in the OO, Patterns, UML and Refactoring forum.
We're giving away four copies of Refactoring for Software Design Smells: Managing Technical Debt and have Girish Suryanarayana, Ganesh Samarthyam & Tushar Sharma on-line!
See this thread for details.
The moose likes Security and the fly likes password in memory Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


JavaRanch » Java Forums » Engineering » Security
Bookmark "password in memory" Watch "password in memory" New topic
Author

password in memory

Jim Frank
Greenhorn

Joined: Mar 13, 2004
Posts: 27
I have to get rid of a password in memory after decrypted and used. The password is encypt and decrypt with JCE. I was thinking such:

StringBuffer x = Pass.decrypt();

//use it

for(d=0; d<x.length();d++)
x.setCharAt(d,'X');

x=null;

I guess I have to do the same thing to the decrypted password in the decrypt() method.

Any thoughts?
joseph edwards
Greenhorn

Joined: Nov 26, 2005
Posts: 12
You can store the encrypted password in the heap, and have each function that needs the password to decrypt the password as a local variable on the stack. As stack memory is very temporary unlike heap memory, the clear-text password will only be visible for a limited amount of time.

Originally posted by Jim Frank:
I have to get rid of a password in memory after decrypted and used. The password is encypt and decrypt with JCE. I was thinking such:

StringBuffer x = Pass.decrypt();

//use it

for(d=0; d<x.length();d++)
x.setCharAt(d,'X');

x=null;

I guess I have to do the same thing to the decrypted password in the decrypt() method.

Any thoughts?
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: password in memory
 
It's not a secret anymore!