Just a few days ago a co-worker asked me about mongodb’s choice of
char for the password in their authenticate call. He was wondering why they chose
The reason is simple: some people feel that using a
char is safer since you can “wipe out” the array after you’re done with the data (eg. the password).
String being an immutable type does not allow this precaution; once you’re done with the
String it’ll live in memory until garbage collection decides to claim it at an undetermined time in the future.
The implication, of course, is that an attacker may read the contents of the memory before the
String is garbage collected and steal the password.
This, however, seems a moot to me. Switching to a
char does not really solve the problem; it only reduces the time window in which the memory contents are available to an attacker. This is even worse than security through obscurity; really, this is just giving up and pretending to do something to address the problem. I’ll also say that if someone is able to read the contents of your memory space, you have bigger problems than using a
String for your password.
Nonetheless, there is one slight advantage in using character arrays for sensitive data: you’re less likely to accidentally print the contents of an
Array (to a log, or console, etc.) than the contents of a
The above code, for example, does not print “Secret”. Rather, it prints the
@ character followed by the unsigned hexadecimal representation of the hash code of the object. This is because
Array does not override
Object’s implementation of
toString, so you just get the default behavior (see documentation). Still, I don’t think this is enough “security” to warrant using a character array.
The real solution, would be to implement something like .NET’s
SecureString object behaves a lot like a regular
String object except that its memory contents are automatically encrypted. Furthermore, a
SecureString instance is immediately discarded when no longer in use. This approach offers real security and it gives developers are more appropriate API when handling strings.
If it wasn’t for the fact that it sucks to handle strings as character arrays, I’d say that the marginal security benefits of using a
char are worth it. But really, there’s no way to rationally justify this. Just keep using a
String, or if you really care, find a good