{"id":1490,"date":"2017-03-21T17:52:59","date_gmt":"2017-03-21T12:22:59","guid":{"rendered":"https:\/\/www.wikitechy.com\/technology\/?p=1490"},"modified":"2017-03-29T10:47:35","modified_gmt":"2017-03-29T05:17:35","slug":"char-preferred-string-passwords","status":"publish","type":"post","link":"https:\/\/www.wikitechy.com\/technology\/char-preferred-string-passwords\/","title":{"rendered":"JAVA &#8211; Why is char[] preferred over String for passwords"},"content":{"rendered":"<ul>\n<li>A\u00a0<b>char<\/b>[] is an\u00a0<b>array<\/b>of primitive numbers of type\u00a0<b>char<\/b>. All it provides is a length attribute, and a way to get and set a\u00a0<b>char<\/b>at a given index.<\/li>\n<li>A\u00a0<b>String<\/b>is an object, of type\u00a0<b>java<\/b>.lang.<b>String<\/b>, which has a whole lot of useful methods for manipulating\u00a0<b>Strings<\/b>. Internally, it uses a\u00a0<b>char array<\/b>.<\/li>\n<li>In Java, String is immutable that is once a string is created it can\u2019t be changed and if it goes out of the reference it is removed from memory by garbage collector so there is no way we can remove it manually until garbage collector comes in the picture.<\/li>\n<li>character array we can remove the data manually and overwrite it with another values even before garbage collection so, char[] is more secure than String for storing passwords because we have control over it, not the garbage collector.<\/li>\n<li>Java itself recommends using getPassword() method of JPasswordField which returns a char[] and deprecated getText() method which returns password in clear text maintaining security reason.<\/li>\n<\/ul>\n<h4 id=\"difference-between-a-string-and-a-character-array-in-java\"><span style=\"color: #ff6600;\"><b>Difference Between A String And A Character Array In Java<\/b><\/span><\/h4>\n<p>The biggest difference between the two is the way\u00a0<b>Garbage Collector(GC)<\/b>\u00a0handles each of the object. Since Strings are handled by Java Garbage Collector in a different way than the other traditional objects, it makes String less usable to store sensitive information.<\/p>\n<h4 id=\"main-reasons-to-prefer-char-are\"><strong><span style=\"color: #808000;\">Main reasons to prefer char[] are:<\/span><\/strong><\/h4>\n<ul>\n<li>Immutability of Strings.<\/li>\n<li>Accidental Printing to Logs<\/li>\n<li>Recommendation by Java itself<\/li>\n<\/ul>\n<h4 id=\"immutability-of-strings\"><span style=\"color: #800080;\"><b>Immutability of Strings<\/b><\/span><\/h4>\n<ul>\n<li><b>Strings in Java are immutable<\/b>(i.e. once created we can not change its value) and\u00a0<b>it also uses the String Pool concept<\/b>for reusability\u00a0 purpose, hence we are left with no option to clear it from the memory until GC clears it from the memory.<\/li>\n<li>Because of this there are great chances that the object created will remain in the memory for a long duration and we can\u2019t even change its value. So anyone having access to the memory dump can easily retrieve the exact password from the memory.<\/li>\n<li>For this we can also use the encryption techniques so that if someone access then will get the encrypted copy of the password.<\/li>\n<li><b>But with character array<\/b>we can ourselves remove out the data from the array and there would be no traces of password into the memory.<\/li>\n<\/ul>\n<h4 id=\"code\"><span style=\"color: #ff6600;\"><b>Code:-<\/b><\/span><\/h4>\n[pastacode lang=\u201djava\u201d manual=\u201dpublic%20class%20WikiPasswordSecurityExample%20%0A%7B%0A%20%0A%20%20%20%20public%20static%20void%20main(String%5B%5D%20args)%0A%20%7B%0A%20%0A%20%20%20%20%20%20%20%20char%5B%5D%20password%20%3D%20%7B%20\u2019p\u2019%2C%20\u2019a\u2019%2C%20\u2019s\u2019%2C%20\u2019s\u2019%2C%20\u2019w\u2019%2C%20\u2019o\u2019%2C%20\u2019r\u2019%2C%20\u2019d\u2019%20%7D%3B%0A%20%0A%20%20%20%20%20%20%20%20%2F%2F%20Changing%20value%20of%20all%20characters%20in%20password%0A%20%20%20%20%20%20%20%20for%20(int%20i%20%3D%200%3B%20i%20%3C%20password.length%3B%20i%2B%2B)%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20password%5Bi%5D%20%3D%20\u2019y\u2019%3B%0A%7D%0A%20%0A%20%20%20%20%20%20%20%20System.out.print(%22New%20Password%20-%20%22)%3B%0A%20%20%20%20%20%20%20%20%2F%2F%20Priniting%20new%20Password%0A%20%20%20%20%20%20%20%20for%20(int%20i%20%3D%200%3B%20i%20%3C%20password.length%3B%20i%2B%2B)%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20System.out.print(password%5Bi%5D)%3B%0A%7D%0A%7D%0A%7D%0A\u201d message=\u201djava code\u201d highlight=\u201d\u201d provider=\u201dmanual\u201d\/]\n[ad type=\u201dbanner\u201d]\n<h4 id=\"output\"><span style=\"color: #808000;\"><b>Output:-<\/b><\/span><\/h4>\n<p><strong>New Password \u2013 yyyyyyyy<\/strong><\/p>\n<p>In the above example we can see that the array holding the value of Password is changed and now no traces of the actual password exists in the memory. So anyone even with memory dumps can not retrieve the password.<\/p>\n<h4 id=\"why-strings-are-immutable-are-listed-below\"><span style=\"color: #800080;\"><b>why Strings are Immutable are listed below-<\/b><\/span><\/h4>\n<ul>\n<li>Security in multithreaded environment<\/li>\n<li>To provide string pool facility<\/li>\n<li>Now strings can cache their hash code<\/li>\n<li>To provide facility for other functionalities<\/li>\n<li>To provide security features<\/li>\n<\/ul>\n<h4 id=\"accidental-printing-to-logs\"><span style=\"color: #ff6600;\"><b>Accidental Printing to Logs<\/b><\/span><\/h4>\n<ul>\n<li>Along with the memory dump protection storing passwords in Strings also prevent accidental logging of password in Text files, consoles, monitors and other insecure places.<\/li>\n<li>But in the same scenario char array is not print a value same as when we use <b>toString<\/b><b>() <\/b>method.<\/li>\n<\/ul>\n[pastacode lang=\u201djava\u201d manual=\u201dpublic%20class%20WikiPasswordSecurityExample%20%0A%7B%0A%20%0A%20%20%20%20public%20static%20void%20main(String%5B%5D%20args)%20%0A%7B%0A%20%0A%20%20%20%20%20%20%20%20String%20password%20%3D%20%22password%22%3B%0A%20%20%20%20%20%20%20%20char%5B%5D%20password2%3B%0A%20%0A%20%20%20%20%20%20%20%20System.out.println(%22Printing%20String%20-%3E%20%22%20%2B%20password)%3B%0A%20%0A%20%20%20%20%20%20%20%20password2%20%3D%20password.toCharArray()%3B%0A%20%20%20%20%20%20%20%20System.out.println(%22Printing%20Char%20Array%20-%3E%20%22%20%2B%20password2)%3B%0A%7D%0A%7D%0A\u201d message=\u201djava code\u201d highlight=\u201d\u201d provider=\u201dmanual\u201d\/]\n<h4 id=\"output-2\"><span style=\"color: #808000;\"><b>Output:- <\/b><\/span><\/h4>\n<p><strong>Printing String -> password<\/strong><\/p>\n<p><strong>Printing Char Array -> [C@21882d18<\/strong><\/p>\n<h4 id=\"recommendation-by-java-itself\"><span style=\"color: #800080;\"><b>Recommendation by Java itself<\/b><\/span><\/h4>\n<ul>\n<li>Java itself recommends the use of Char Array instead of Strings. It is clear from the JPasswordField of javax.swing as the method <b>public String getText() <\/b>which returns String is Deprecated from Java 2 and is replaced by <b>public char[] getPassword() <\/b>which returns Char Array.<\/li>\n<\/ul>\n[ad type=\u201dbanner\u201d]\n","protected":false},"excerpt":{"rendered":"<p>A\u00a0char[] is an\u00a0arrayof primitive numbers of type\u00a0char. All it provides is a length attribute, and a way to get and set a\u00a0charat a given index. A\u00a0Stringis an object, of type\u00a0java.lang.String, which has a whole lot of useful methods for manipulating\u00a0Strings. Internally, it uses a\u00a0char array. In Java, String is immutable that is once a string [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2139],"tags":[2978,2974,1128,2975,2971,2982,2984,2985,2981,2983,2980,2979,2170,2976,2972,2977,2973,2177],"class_list":["post-1490","post","type-post","status-publish","format-standard","hentry","category-java","tag-difference-between-char-array-and-string-in-java","tag-how-should-i-ethically-approach-user-password-storage-for-later-plaintext-retrieval","tag-how-to-check-whether-a-string-contains-a-substring-in-javascript","tag-how-to-convert-a-char-to-a-string","tag-how-to-convert-a-stdstring-to-const-char-or-char","tag-how-to-create-a-thread-safe-singleton-in-java-using-double-checked-locking","tag-java-guardedstring","tag-java-guardedstring-example","tag-java-secure-string","tag-java-string-vs-char-array-memory","tag-java-string-vs-char-array-performance","tag-password-java-code","tag-readconvert-an-inputstream-to-a-string","tag-safely-using-string-for-passwords-by-using-reflection-to-scrub-contents-prior-to-garbage-collection","tag-secure-hash-and-salt-for-php-passwords","tag-string-or-char-for-password-when-using-jdbc","tag-why-does-jpasswordfield-getpassword-create-a-string-with-the-password-in-it","tag-why-is-it-faster-to-process-a-sorted-array-than-an-unsorted-array"],"_links":{"self":[{"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/posts\/1490","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/comments?post=1490"}],"version-history":[{"count":0,"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/posts\/1490\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/media?parent=1490"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/categories?post=1490"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/tags?post=1490"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}