directory-fortress mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shawn McKinney <smckin...@apache.org>
Subject Re: Password as String or char[]?
Date Tue, 11 Oct 2016 14:17:30 GMT

> On Oct 10, 2016, at 12:31 PM, Kiran Ayyagari <kayyagari@apache.org> wrote:
> 
> +1 to change it to string. We can always explicitly mark that as "null"
> after using it.
> 
> (IMO if the attacker gained access to the OS then we have a bigger
> operational security issues than
> implementation)

Kiran, thanks for weighing in.  I want to make sure I am understanding….

So at the end of an operation, i.e. createSession ( User user ) we’d do something like this:

user.setPassword(null);

?

Thanks,
Shawn
Mime
View raw message