Sunday, 27 March 2016

Why we should not use String for Storing password in Java but can use String for Storing password in C language?




In a discussion one of our senior told that we should not use String for storing password in a Java project because it's a security risk.
But it can be acceptable in C project. I did not get why he said that.
Can anyone tell me why so?


Answer



In Java, Strings are immutable, so once you use String to store a password, there is no way that content can be changed because any change will produce new String.
And the String which contains the password, will be available in memory until it got garbage collected. So it will be remain in memory for long duration which might be a security risk.



But, in C language, String is a null terminated character array and you can set all the array elements as blank or zero, therefore the password will not be remain in memory.


No comments:

Post a Comment

c++ - Does curly brackets matter for empty constructor?

Those brackets declare an empty, inline constructor. In that case, with them, the constructor does exist, it merely does nothing more than t...