• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Console class readPassword() - Questions about the API

 
Greenhorn
Posts: 1
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello!

I am using the Console class's readPassword() method in my code. The readPassword() method returns a character array containing the password the user entered.

The Java 7 API states the following in regards to this method:
"Security note: If an application needs to read a password or other secure data, it should use readPassword() or readPassword(String, Object...) and manually zero the returned character array after processing to minimize the lifetime of sensitive data in memory. "

What does the API mean by "manually zero" the array? Does it mean to assign the character array reference to null or does it mean to assign each element of the character array to the null character?

Here is a link to the API in case anyone wishes to read it:
Java API page for the Console class

Thank you!
 
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I got it it assigns each it null character........simple
 
Marshal
Posts: 79180
377
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

vineet chaturvedi wrote:I got it it assigns each it null character........simple

Not necessarily a null character. If you reassign each char in that array to anything, you can delete the password, but its length will remain. If the array turns into [#,#,#,#,#,#,#,#], a malicious person can tell that the password contains 8 characters and no more. Reassigning the whole array to ['p','a','s','s','w','o','r','d'] might have the same effect.

And welcome to the Ranch
 
reply
    Bookmark Topic Watch Topic
  • New Topic