char[] security

What is a good security reason for storing a password within a char[] rather than within a String?

Your char[] is not reused or interned like strings are, so you have complete control over the data. An interned string, i.e. one in the string cache, can show up in diagnosis tools or memory dumps even after you dumped the original data.

Strings aren't interned unless they're hard-coded as literals (which a password obviously isn't) or they're explicitly interned using the intern() method... or am I missing something?

Luigi Plinge wrote:Strings aren't interned unless they're hard-coded as literals (which a password obviously isn't) or they're explicitly interned using the intern() method... or am I missing something?

Would you kindly clarify with an example, please?

I guess if you were to do something dumb like hard-code a password into a class, it would make more sense to use a char[], but even then someone could just look for a list of chars in the class file, or decompile it to source. So worrying about memory dumps etc seems strange, unless I'm missing something, which is very possible.

It's good practice to set a password String to null, as above, as soon as you've finished with it.

Luigi Plinge wrote:String pwd1 = "asdfgh"; // String literal String pwd2 = myObject.getPassword(); // Get it from elsewhere, e.g. user input or file // check password here pwd1 = null; pwd2 = null; // "asdfgh" still exists in String pool, but the former value of pwd2 is gone forever
I guess if you were to do something dumb like hard-code a password into a class, it would make more sense to use a char[], but even then someone could just look for a list of chars in the class file, or decompile it to source. So worrying about memory dumps etc seems strange, unless I'm missing something, which is very possible.

It's good practice to set a password String to null, as above, as soon as you've finished with it.

Yes, I agree it's a bit weird to worry about reading passwords off memory dumps, since users normally don't bother to do that, but we're wary of hackers

In a business scenario I would store encrypted passwords, and, set the password to null as soon as I have validated it.

Well my point was that since you should never have a literal password in your code, it won't make any difference if you use a String or char[]!

Luigi Plinge wrote:Well my point was that since you should never have a literal password in your code, it won't make any difference if you use a String or char[]!

Yeah, but Horstmann and Cornell suggest that it is good practice to use char[], hence, I thought it would be safer to ask why before making assumptions.

import java.awt.*;
import java.awt.event.*;
import javax.swing.*;

/**
 * @version 1.33 2007-06-12
 * @author Cay Horstmann
 */
public class DataExchangeTest
{
   public static void main(String[] args)
   {
      EventQueue.invokeLater(new Runnable()
         {
            public void run()
            {
               DataExchangeFrame frame = new DataExchangeFrame();
               frame.setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE);
               frame.setVisible(true);
            }
         });
   }
}

/**
 * A frame with a menu whose File->Connect action shows a password dialog.
 */
class DataExchangeFrame extends JFrame
{
   public DataExchangeFrame()
   {
      setTitle("DataExchangeTest");
      setSize(DEFAULT_WIDTH, DEFAULT_HEIGHT);

// construct a File menu

JMenuBar mbar = new JMenuBar();
      setJMenuBar(mbar);
      JMenu fileMenu = new JMenu("File");
      mbar.add(fileMenu);

// add Connect and Exit menu items

JMenuItem connectItem = new JMenuItem("Connect");
      connectItem.addActionListener(new ConnectAction());
      fileMenu.add(connectItem);

// The Exit item exits the program

JMenuItem exitItem = new JMenuItem("Exit");
      exitItem.addActionListener(new ActionListener()
         {
            public void actionPerformed(ActionEvent event)
            {
               System.exit(0);
            }
         });
      fileMenu.add(exitItem);

textArea = new JTextArea();
      add(new JScrollPane(textArea), BorderLayout.CENTER);
   }

public static final int DEFAULT_WIDTH = 300;
   public static final int DEFAULT_HEIGHT = 200;

private PasswordChooser dialog = null;
   private JTextArea textArea;

/**
    * The Connect action pops up the password dialog.
    */

private class ConnectAction implements ActionListener
   {
      public void actionPerformed(ActionEvent event)
      {
         // if first time, construct dialog

if (dialog == null) dialog = new PasswordChooser();

// set default values
         dialog.setUser(new User("yourname", null));

// pop up dialog
         if (dialog.showDialog(DataExchangeFrame.this, "Connect"))
         {
            // if accepted, retrieve user input
            User u = dialog.getUser();
            textArea.append("user name = " + u.getName() + ", password = "
                  + (new String(u.getPassword())) + "\n");
         }
      }
   }
}

/**
 * A password chooser that is shown inside a dialog
 */
class PasswordChooser extends JPanel
{
   public PasswordChooser()
   {
      setLayout(new BorderLayout());

// construct a panel with user name and password fields

JPanel panel = new JPanel();
      panel.setLayout(new GridLayout(2, 2));
      panel.add(new JLabel("User name:"));
      panel.add(username = new JTextField(""));
      panel.add(new JLabel("Password:"));
      panel.add(password = new JPasswordField(""));
      add(panel, BorderLayout.CENTER);

// create Ok and Cancel buttons that terminate the dialog

okButton = new JButton("Ok");
      okButton.addActionListener(new ActionListener()
         {
            public void actionPerformed(ActionEvent event)
            {
               ok = true;
               dialog.setVisible(false);
            }
         });

JButton cancelButton = new JButton("Cancel");
      cancelButton.addActionListener(new ActionListener()
         {
            public void actionPerformed(ActionEvent event)
            {
               dialog.setVisible(false);
            }
         });

// add buttons to southern border

JPanel buttonPanel = new JPanel();
      buttonPanel.add(okButton);
      buttonPanel.add(cancelButton);
      add(buttonPanel, BorderLayout.SOUTH);
   }

/**
    * Sets the dialog defaults.
    * @param u the default user information
    */
   public void setUser(User u)
   {
      username.setText(u.getName());
   }

/**
    * Gets the dialog entries.
    * @return a User object whose state represents the dialog entries
    */
   public User getUser()
   {
      return new User(username.getText(), password.getPassword());
   }

/**
    * Show the chooser panel in a dialog
    * @param parent a component in the owner frame or null
    * @param title the dialog window title
    */
   public boolean showDialog(Component parent, String title)
   {
      ok = false;

// locate the owner frame

Frame owner = null;
      if (parent instanceof Frame) owner = (Frame) parent;
      else owner = (Frame) SwingUtilities.getAncestorOfClass(Frame.class, parent);

// if first time, or if owner has changed, make new dialog

if (dialog == null || dialog.getOwner() != owner)
      {
         dialog = new JDialog(owner, true);
         dialog.add(this);
         dialog.getRootPane().setDefaultButton(okButton);
         dialog.pack();
      }

// set title and show dialog

dialog.setTitle(title);
      dialog.setVisible(true);
      return ok;
   }

private JTextField username;
   private JPasswordField password;
   private JButton okButton;
   private boolean ok;
   private JDialog dialog;
}

/**
 * A user has a name and password. For security reasons, the password is stored as a char[], not a
 * String.
 */
class User
{
   public User(String aName, char[] aPassword)
   {
      name = aName;
      password = aPassword;
   }

public String getName()
   {
      return name;
   }

public char[] getPassword()
   {
      return password;
   }

public void setName(String aName)
   {
      name = aName;
   }

public void setPassword(char[] aPassword)
   {
      password = aPassword;
   }

private String name;
   private char[] password;
}

Source: Core Java Vol 1 (8th Ed) P.64, 473

Luigi Plinge wrote:Strings aren't interned unless they're hard-coded as literals (which a password obviously isn't) or they're explicitly interned using the intern() method... or am I missing something?

Literal Strings are automatically interned, as stated in the documentation. There is no statement about other Strings, neither positive nor negative, but there exists a JVM flag for a generic String cache: http://www.oracle.com/technetwork/java/javase/tech/vmoptions-jsp-140102.html

But: You don't know what happens when you use other technologies that will work with your password, and typically there are some involved, e.g. persistence and web. Serialization can be involved or even other String operations like trimming that could intern. With a char[] you know nothing of that sort will happen.

Hauke Ingmar Schmidt wrote:

Luigi Plinge wrote:Strings aren't interned unless they're hard-coded as literals (which a password obviously isn't) or they're explicitly interned using the intern() method... or am I missing something?

Literal Strings are automatically interned, as stated in the documentation. There is no statement about other Strings, neither positive nor negative, but there exists a JVM flag for a generic String cache: http://www.oracle.com/technetwork/java/javase/tech/vmoptions-jsp-140102.html

But: You don't know what happens when you use other technologies that will work with your password, and typically there are some involved, e.g. persistence and web. Serialization can be involved or even other String operations like trimming that could intern. With a char[] you know nothing of that sort will happen.

What do you mean by 'interned', please?

Check out the javadoc for java.lang.String - the intern() method.

The reason for using char[] is that you can fill it with zeroes after use.
Check the javadoc for JPasswordField.

It can't be done with String because Strings are immutable.