Results 1 to 6 of 6
  1. #1
    radish is offline Member
    Join Date
    Aug 2013
    Posts
    16
    Rep Power
    0

    Default Rewriting char arrays...

    Say i'm paranoid... but if I get a password from the user, then use it, after that I want to "purge" it from memory, is this achieved by rewriting that array with random* data?

    - Will it be stored in a new data position or rewrite the same? (Assuming same length is used!)


    ref: @30 mins
    Secure Coding Guidelines for the Java Programming Language - YouTube


    *** EDIT
    Same for strings!
    Last edited by radish; 08-21-2013 at 02:32 AM.

  2. #2
    jim829 is offline Senior Member
    Join Date
    Jan 2013
    Location
    Northern Virginia, United States
    Posts
    3,511
    Rep Power
    5

    Default Re: Rewriting char arrays...

    I can't answer this for certain but I tend to think that any character array you create and fill is not duplicated anywhere else. However, when you read input from a terminal, that input is being passed in via a buffer. So I would suspect that the input buffer from which the character array is filled still has those characters in it.

    Regards,
    Jim
    The Java™ Tutorial | SSCCE | Java Naming Conventions
    Poor planning our your part does not constitute an emergency on my part.

  3. #3
    radish is offline Member
    Join Date
    Aug 2013
    Posts
    16
    Rep Power
    0

    Default Re: Rewriting char arrays...

    I remember seeing something about how defining a String actually defines a pool of strings...? I wondered if assigning to the string again may write to another memory location. From reading the following and other, since String is immutable, when altering it the original is discarded to the GC and new one is made...
    Java Interview Question – String vs StringBuffer vs StringBuilder | JournalDev

    I've never used StringBuilder or StringBuffer but have seen discussion...

    Is there any way to see the pointer? (Been a long time since I did Java but I believe it doesn't have them!?! But I see mentions of references?)
    Is there anyway to see memory allocated in the JVM, etc... and GC can only be "suggested" not actually forced!?!

    Oh, even worse than console buffer, i'll be using Swing or AWT when I get around to that part :(

    There isn't a "Free" function is there!?!

    P.S. I'll get back to char arrays soon too ;)

  4. #4
    radish is offline Member
    Join Date
    Aug 2013
    Posts
    16
    Rep Power
    0

    Default Re: Rewriting char arrays...

    java - Why is char[] preferred over String for passwords? - Stack Overflow
    That highlights my (paranoid) issues perfectly! But also indicates more problems when using the PrivateKey class :(

    Java Code:
    Console console = System.console();
    String username = console.readLine("User Name? ");
    char[] password = console.readPassword("Password? ");
    The following shows a way of using console to go straight to a char[] (not sure if still has internal buffer!?!) and clearing it too...
    Java Code:
    char[] passdata = console.readPassword("[Please Input Your Password]: ");
    if(passdata != null) {}
    Arrays.fill(passdata, ' '); // re-sets all data in the array
    (ref: Console: Use the Java 6 Console API)

    Also when concerning Swing (posted in original ref):
    Java recommendation using getPassword() method of JPasswordField which returns a char[]

  5. #5
    JosAH's Avatar
    JosAH is online now Moderator
    Join Date
    Sep 2008
    Location
    Voorschoten, the Netherlands
    Posts
    13,439
    Blog Entries
    7
    Rep Power
    20

    Default Re: Rewriting char arrays...

    Quote Originally Posted by radish View Post
    The following shows a way of using console to go straight to a char[] (not sure if still has internal buffer!?!) and clearing it too...
    Have a look at the source code for the Console class: the readPassword() method uses an internal buffer and clears it after copying its contents to a char[] which it returns. You should do the same as soon as you're done with it.

    kind regards,

    Jos
    cenosillicaphobia: the fear for an empty beer glass

  6. #6
    radish is offline Member
    Join Date
    Aug 2013
    Posts
    16
    Rep Power
    0

    Default Re: Rewriting char arrays...

    Going through it and if you call console.readPassword() without arguments, then internally it calls the same again. When it returns along the same path will it also push another char[] into memory?

    Java > Open Source Codes > java > io > Console _ Java API By Example, From Geeks To Geeks.
    Java > Open Source Codes > java > io > Reader _ Java API By Example, From Geeks To Geeks.

    Cheers, i'll look more later... but ... won't spend too long on this ;)

Similar Threads

  1. String and char arrays
    By leeroijenkiins in forum New To Java
    Replies: 5
    Last Post: 05-08-2013, 05:01 AM
  2. Need help passing Scanner objects into char arrays
    By Terminus_Est in forum New To Java
    Replies: 1
    Last Post: 03-27-2012, 02:28 AM
  3. replaceALL(char oldChar, char newChar) method
    By arson09 in forum New To Java
    Replies: 0
    Last Post: 04-28-2010, 05:48 AM
  4. Comparing two Char arrays
    By viperlasson in forum New To Java
    Replies: 3
    Last Post: 01-30-2010, 08:05 AM
  5. url rewriting
    By jithan in forum Java Servlet
    Replies: 2
    Last Post: 06-23-2008, 06:11 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •