tag:blogger.com,1999:blog-8712770457197348465.post4254224780031786104..comments2024-03-28T02:47:19.159-07:00Comments on Javarevisited: Why character array is better than String for Storing password in Java? Examplejavin paulhttp://www.blogger.com/profile/15028902221295732276noreply@blogger.comBlogger25125tag:blogger.com,1999:blog-8712770457197348465.post-11152181269333271122022-08-04T05:56:28.301-07:002022-08-04T05:56:28.301-07:00It's 2022 and still this question makes sense ...It's 2022 and still this question makes sense today. Really good discussion on post as well as on comment sections. Thanks Javarevisited.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8712770457197348465.post-68754721000924954092022-07-06T10:13:30.534-07:002022-07-06T10:13:30.534-07:00I know this is old, I wanted to point out that you...I know this is old, I wanted to point out that you can overwrite char values with something else to erase the actual characters. You can't do that with String in Java. In c, I'd just wipe the memory with null.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8712770457197348465.post-74354654928454637592021-04-21T03:19:23.556-07:002021-04-21T03:19:23.556-07:00It is char array, so it can hold alphabet, numbers...It is char array, so it can hold alphabet, numbers, etc.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8712770457197348465.post-72663759592176857172018-07-08T02:26:16.868-07:002018-07-08T02:26:16.868-07:00Have doubt.array allows similar type of data types...Have doubt.array allows similar type of data types.then how can it store different types in password?Anonymoushttps://www.blogger.com/profile/17544486558526326405noreply@blogger.comtag:blogger.com,1999:blog-8712770457197348465.post-88939503321276114702017-01-17T10:53:47.389-08:002017-01-17T10:53:47.389-08:00In earlier Java versions, String is being stored o...In earlier Java versions, String is being stored on String pool which makes it vulnurable for accidental changes. Though , this is a very rare case but still a possibility of accidental override.SUBODHhttps://www.blogger.com/profile/10760042545646082445noreply@blogger.comtag:blogger.com,1999:blog-8712770457197348465.post-75754907528336510792016-09-07T23:03:30.132-07:002016-09-07T23:03:30.132-07:00Authentication tokens in a typical java webapp suc...Authentication tokens in a typical java webapp such as passwords in html forms / http params, authorization headers, or session cookies are always handled with the String type in the servlet api. This discussion is far from reality as long as you do not start rewriting the world.Torsten Wernerhttps://www.blogger.com/profile/09747858539044386354noreply@blogger.comtag:blogger.com,1999:blog-8712770457197348465.post-25584620314396536622016-09-05T20:20:59.428-07:002016-09-05T20:20:59.428-07:00Storing the password as plain text, either in char...Storing the password as plain text, either in char[] or String is bad practice and insecure. You _always_ should use hash, this way the password is never visible in memory.Anonymoushttps://www.blogger.com/profile/13981042971979920197noreply@blogger.comtag:blogger.com,1999:blog-8712770457197348465.post-39450267988558405392016-09-03T08:10:21.485-07:002016-09-03T08:10:21.485-07:00Valid pointsValid pointsAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-8712770457197348465.post-62758311555320749532016-07-11T08:40:19.703-07:002016-07-11T08:40:19.703-07:00It is true that string store the charactor sequenc...It is true that string store the charactor sequence in a char array but problem with this is it stores this data in the string pool for a very long time if not until the application shut down. This value can be acquired from dump with some effort. Brut force hack become much easier for me if thus memory dump is available with me.Anonymoushttps://www.blogger.com/profile/18373562737994915919noreply@blogger.comtag:blogger.com,1999:blog-8712770457197348465.post-84865573222580017822016-02-15T00:39:14.716-08:002016-02-15T00:39:14.716-08:00The only reason passwords is done in char[] is for...The only reason passwords is done in char[] is for performance. You don't get any more secure using char[] as String store all data internally as char[] anyway. You always store the password (in char[]) in encrypted format in memory, you can NEVER get the password from dumping on snooping. The only way to check the password is calling a function that checks and immediately discard the Earlhttps://www.blogger.com/profile/07520701340143059523noreply@blogger.comtag:blogger.com,1999:blog-8712770457197348465.post-26424399786187224912015-09-21T05:12:50.234-07:002015-09-21T05:12:50.234-07:00In reply to Craig points, about the use of char[] ...In reply to Craig points, about the use of char[] being a bad idea, I would reply<br />1. yes, using char can complicate things, but then a password is just a sequence of characters, so a char array is suitable to store a password.<br />2 and 3. the char array data could indeed get into a core dump, or be swapped to virtual memory. However, the password will not be accessible in RAM, so it does Dave Croninhttps://www.blogger.com/profile/08767268832081899353noreply@blogger.comtag:blogger.com,1999:blog-8712770457197348465.post-87113651847139642972014-12-21T20:30:01.564-08:002014-12-21T20:30:01.564-08:00Why would you store the password in the first plac...Why would you store the password in the first place!!! Its a bad design in itself IMHO.<br />Defer it to authentication system (webserver/ldap etc) or store it's hash or in any other encrypted form.<br /><br />Then you wouldn't have to care about char[] or String, i personally do not see any threat of using String.<br /><br />Someone, who can access memory dump, could as well run remote Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8712770457197348465.post-63026395889313391732014-11-27T00:36:04.622-08:002014-11-27T00:36:04.622-08:00Hi.Can u plz explain us the below code more Clearl...Hi.Can u plz explain us the below code more Clearly.<br /><br />char[] charPassword = new char[] { 'U', 'n', 'k', 'w', 'o', 'n' };<br />Character password: [C@110b053<br /><br />How is this output possible in case of Char Array.??Tushar jainhttps://www.blogger.com/profile/16823029692171019845noreply@blogger.comtag:blogger.com,1999:blog-8712770457197348465.post-61116671072008866142014-05-15T02:34:53.089-07:002014-05-15T02:34:53.089-07:00"String are used in String pool for reusabili..."String are used in String pool for reusability" is generally not correct in this case.<br /><br />Only certain types of strings are interned in the permanent generation. Strings created dynamically at runtime, i.e. strings in a HTTP request, are not. Consider this: if every String pulled in a HTTP request was interned, you'd consume all of the permanent gen quickly.<br /><br />Unknownhttps://www.blogger.com/profile/13866333628476629355noreply@blogger.comtag:blogger.com,1999:blog-8712770457197348465.post-2682574527743032752014-04-09T22:33:16.916-07:002014-04-09T22:33:16.916-07:00As you said that if someone who have acess to memo...As you said that if someone who have acess to memory dump can know the passwords if it is string form,and in char array it will be known only the address, As he know the memory dump Wont he able to find the passsowrd using that address which he knows.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8712770457197348465.post-57217593283265447222013-09-12T00:41:22.636-07:002013-09-12T00:41:22.636-07:00There is API provided by Java itself to get the ch...There is API provided by Java itself to get the characters in an array. Please have a look at below code snippet, there is no use of array over string other in this scenario but memory wise yes it is:<br />System.out.println("Character password: " + Arrays.toString(charPassword));<br /><br />Character password: ['U','n','k','w','o','n']The Onehttps://www.blogger.com/profile/12128637801115684066noreply@blogger.comtag:blogger.com,1999:blog-8712770457197348465.post-27318623659798235762013-04-23T19:14:09.285-07:002013-04-23T19:14:09.285-07:00Strings don't keep any information about encod...Strings don't keep any information about encoding -- they just have a char[], and a char is a unicode code point in utf-16. You can create a String from a byte[] and an encoding, and given a String you can get a byte[] if you give it an encoding -- but the String itself has no encoding other than the utf-16 of its chars.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8712770457197348465.post-85693004108529151172013-03-11T11:09:40.361-07:002013-03-11T11:09:40.361-07:00public class printPwd {
public static void main(S...public class printPwd {<br /> public static void main(String[] args) {<br /> String strPassword = "Unknown";<br /> char[] charPassword = new char[] { 'U', 'n', 'k', 'w', 'o', 'n' };<br /> System.out.println("String password: " + strPassword);<br /> System.out.println("Character password: " + String.valueOf(Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8712770457197348465.post-90865944387137802052013-02-20T13:59:43.847-08:002013-02-20T13:59:43.847-08:00System.out.println(charPassword);
The above line ...System.out.println(charPassword);<br /><br />The above line prints password in clear text.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8712770457197348465.post-47782665614829695292013-01-24T12:41:57.610-08:002013-01-24T12:41:57.610-08:00There are a few mistakes here. First, there is no ...There are a few mistakes here. First, there is no real "danger" of a password String being logged, since it would only happen if you explicitly log it.<br /><br />Second, you can easily print the contents of an array using Arrays.toString(), so if you're afraid your fingers will type logger.info(password), well, they might also accidentally type logger.info(Arrays.toString(password)Dave Conradhttps://www.blogger.com/profile/06688886122549415711noreply@blogger.comtag:blogger.com,1999:blog-8712770457197348465.post-31584934871414931942013-01-10T13:46:58.332-08:002013-01-10T13:46:58.332-08:00This is awesome. Points noted and very mind blowin...This is awesome. Points noted and very mind blowing. Java needs further readingUnknownhttps://www.blogger.com/profile/02632001672747947781noreply@blogger.comtag:blogger.com,1999:blog-8712770457197348465.post-48809805740808168042013-01-09T02:02:10.057-08:002013-01-09T02:02:10.057-08:00Now I am confused between char[] and String to sto...Now I am confused between char[] and String to store password ? Which one I should use char[] or String ?Jun kunnoreply@blogger.comtag:blogger.com,1999:blog-8712770457197348465.post-20151319569895462102012-06-11T09:36:30.558-07:002012-06-11T09:36:30.558-07:00Using char[] instead of String for passwords is (I...Using char[] instead of String for passwords is (IMHO) a bad idea for a few reasons:<br /><br />1. That's going to massively complicate things. Strings maintain information about character encodings - char[] (obviously) does not. So if you use char[], you have to be very careful to always use the same encoding. This is critical if you support non-US English users (and you should always do Craighttps://www.blogger.com/profile/07986308516429741062noreply@blogger.comtag:blogger.com,1999:blog-8712770457197348465.post-65700772219203943962012-03-27T06:12:32.153-07:002012-03-27T06:12:32.153-07:00well said sarat, Indeed a worth noting point.well said sarat, Indeed a worth noting point.Javin @ Java String replace Examplehttp://javarevisited.blogspot.com/2011/12/java-string-replace-example-tutorial.htmlnoreply@blogger.comtag:blogger.com,1999:blog-8712770457197348465.post-73945794431353298522012-03-26T22:13:35.269-07:002012-03-26T22:13:35.269-07:00Added to the above reasons Class String is also Se...Added to the above reasons Class String is also Serializable. So by using character array we also avoid the risk of serializing the password.Sarathttps://www.blogger.com/profile/09975729545363166575noreply@blogger.com