• Post Reply Bookmark Topic Watch Topic
  • New Topic

Console class readPassword() - Questions about the API  RSS feed

 
Lance Smith
Greenhorn
Posts: 1
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello!

I am using the Console class's readPassword() method in my code. The readPassword() method returns a character array containing the password the user entered.

The Java 7 API states the following in regards to this method:
"Security note: If an application needs to read a password or other secure data, it should use readPassword() or readPassword(String, Object...) and manually zero the returned character array after processing to minimize the lifetime of sensitive data in memory. "

What does the API mean by "manually zero" the array? Does it mean to assign the character array reference to null or does it mean to assign each element of the character array to the null character?

Here is a link to the API in case anyone wishes to read it:
Java API page for the Console class

Thank you!
 
vineet chaturvedi
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I got it it assigns each it null character........simple
 
Campbell Ritchie
Marshal
Posts: 56599
172
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
vineet chaturvedi wrote:I got it it assigns each it null character........simple
Not necessarily a null character. If you reassign each char in that array to anything, you can delete the password, but its length will remain. If the array turns into [#,#,#,#,#,#,#,#], a malicious person can tell that the password contains 8 characters and no more. Reassigning the whole array to ['p','a','s','s','w','o','r','d'] might have the same effect.

And welcome to the Ranch
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!