Uploaded image for project: 'Java Driver'
  1. Java Driver
  2. JAVA-45

DB.authenticate() should use a char[] for the password

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor - P4
    • Resolution: Fixed
    • Affects Version/s: 0.11
    • Fix Version/s: 1.0
    • Component/s: None
    • Labels:
      None
    • Environment:
      n/a

      Description

      As per Java security best practices, passwords should always be stored as char[] rather than String - the DB.authenticate() method currently uses a String for the password.

      This is recommended for two reasons:
      1. Due to string interning [1], String values may stay in the heap a lot longer than other Java objects
      2. Because they're immutable, Strings cannot be rewritten (eg. zeroed out) to further reduce the chances of a password being compromised [2]

      [1] http://java.sun.com/j2se/1.5.0/docs/api/java/lang/String.html#intern%28%29
      [2] http://java.sun.com/j2se/1.5.0/docs/guide/security/jce/JCERefGuide.html#PBEEx

        Attachments

          Activity

            People

            Assignee:
            eliot Eliot Horowitz (Inactive)
            Reporter:
            pmonks Peter Monks
            Participants:
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: