directory-fortress mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <elecha...@gmail.com>
Subject Re: Password as String or char[]?
Date Tue, 11 Oct 2016 14:28:28 GMT
Le 11/10/16 à 16:17, Shawn McKinney a écrit :
>> On Oct 10, 2016, at 12:31 PM, Kiran Ayyagari <kayyagari@apache.org> wrote:
>>
>> +1 to change it to string. We can always explicitly mark that as "null"
>> after using it.
>>
>> (IMO if the attacker gained access to the OS then we have a bigger
>> operational security issues than
>> implementation)
> Kiran, thanks for weighing in.  I want to make sure I am understanding….
>
> So at the end of an operation, i.e. createSession ( User user ) we’d do something like
this:
>
> user.setPassword(null);

That does not help. It just tells the GC 'you can discard the String',
but it does not enforce this removal from memory.


Mime
View raw message