This week's book giveaways are in the Java EE and JavaScript forums.
We're giving away four copies each of The Java EE 7 Tutorial Volume 1 or Volume 2(winners choice) and jQuery UI in Action and have the authors on-line!
See this thread and this one for details.
The moose likes Security and the fly likes password in memory Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of The Java EE 7 Tutorial Volume 1 or Volume 2 this week in the Java EE forum
or jQuery UI in Action in the JavaScript forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "password in memory" Watch "password in memory" New topic
Author

password in memory

Jim Frank
Greenhorn

Joined: Mar 13, 2004
Posts: 27
I have to get rid of a password in memory after decrypted and used. The password is encypt and decrypt with JCE. I was thinking such:

StringBuffer x = Pass.decrypt();

//use it

for(d=0; d<x.length();d++)
x.setCharAt(d,'X');

x=null;

I guess I have to do the same thing to the decrypted password in the decrypt() method.

Any thoughts?
joseph edwards
Greenhorn

Joined: Nov 26, 2005
Posts: 12
You can store the encrypted password in the heap, and have each function that needs the password to decrypt the password as a local variable on the stack. As stack memory is very temporary unlike heap memory, the clear-text password will only be visible for a limited amount of time.

Originally posted by Jim Frank:
I have to get rid of a password in memory after decrypted and used. The password is encypt and decrypt with JCE. I was thinking such:

StringBuffer x = Pass.decrypt();

//use it

for(d=0; d<x.length();d++)
x.setCharAt(d,'X');

x=null;

I guess I have to do the same thing to the decrypted password in the decrypt() method.

Any thoughts?
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: password in memory