While working in core Java application or enterprise web application there is always a need of working with passwords in order to authenticate user. Passwords are very sensitive information like Social Security Number(SSN) and if you are working with real human data like in online banking portal or online health portal its important to follow best practices to deal with passwords or Social security numbers. here I will list down some of the points I learned and take care while doing authentication and authorization or working with password. I recommend to read more on this topic and have a checklist of things based on your application requirement. Anyway here are few points which make sense to me:
7 Tips to deal with sensitive information or password in Java
1) Use SSL to transfer username and password:
LDAP and Active Directory are mostly used for storing username, password, authorities and access and has become standard in almost all places, but doing LDAP authentication is still a programming task and you need to collect and pass passwords from user to LDAP Server securely. Use SSL while doing LDAP bind operation otherwise anyone can
intercept LDAP traffic and get access to username and password. Spring security offers a convenient way of doing
LDAP authentication. see my post how to perform LDAP authentication in Java using spring security for more details.
2) Store password in char instead of String
Strings are immutable in Java and there is no way you can erase content of String because any modification in String
will result in a new String. Also Strings are cached in String pool which pose a security risk of exposing password in clear text to anyone who has access to memory of java application. even an accident like core dump of java application, generating memory dump in /tmp can put passwords in real threat. by using char you can erase convents by setting it blank or any other character which reduces security risk of exposing password. See Why char array is better than String for storing password in Java for more detail
3) Always use encrypted password in Application
This is one step further from earlier tip, instead of Storing password or sensitive information in clear text always store them in encrypted or hashed format. This reduces risk of exposing password to any stranger who some how has access of application memory while you are performing authentication.
4) Clear password or sensitive information as soon as possible
Never left your password unattended or longer than needed, erase it as soon as you are done with them. Also caching password or storing them for future checks is not a good idea. Its recommended to keep password or any sensitive data like SSN for very short duration in memory or heap.
5)Don't cache Passwords
As I said earlier never cache a password for future authentication or any kind of checks. authenticate it once and clear the password if needed do a re authentication in similar fashion.
6) Use control to hide password while entering in user interface
Always use JPasswordFiled or similar control like input type=password in html forms for asking password
from user to avoid risk of anyone seeing it while entering or to prevent from any peeping tom.
7) Never pass sensitive information like passwords, SSN to logger, on Exceptions or to console.
Exceptions are real risk since sometime they print data associated with Error like FileNotFoundException may print name of file if not found, In order to tackle this issues always cache primitive Exception and sanitize it before re throwing it or delegating it for further processing especially while writing code which requires stringent security.
That's all on best practices of dealing password in Java application. In my opinion these are just tip of iceberg in most of enterprise application standards are even more stringent and a proprietary guideline to deal with passwords may exist. I still see value of these common points because it help to mitigate risk associated with sensitive data. Please let us know what best practices you are following while working with passwords in Java or J2EE application.
If you are new here you may like to check these older Java posts