Wednesday 16 April 2014

Why is char[] preferred over String for passwords?

Strings are immutable. That means once you've created the string, if another process can dump memory, there's no way you can free the data before GC kicks in.
With an array, you can explicitly wipe the data after you're done with it: you can overwrite the array with anything you like, and the password won't be present anywhere in the system, even before garbage collection.
It would seem logical to collect and store the password in an object of type java.lang.String. However, here's the caveat: Objects of type String are immutable, i.e., there are no methods defined that allow you to change (overwrite) or zero out the contents of a String after usage. This feature makes String objects unsuitable for storing security sensitive information such as user passwords. You should always collect and store security sensitive information in a char array instead.
 <script type="text/javascript">
 var d = new Date();
 var time = d.getHours();
 if (time < 10) {
 document.write("<b>Good morning</b>");
 } else {
 document.write("<b>Good day</b>");