Uploaded image for project: 'Java Driver'
  1. Java Driver
  2. JAVA-45

DB.authenticate() should use a char[] for the password

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Minor - P4 Minor - P4
    • 1.0
    • Affects Version/s: 0.11
    • Component/s: None
    • Labels:
      None
    • Environment:
      n/a

      As per Java security best practices, passwords should always be stored as char[] rather than String - the DB.authenticate() method currently uses a String for the password.

      This is recommended for two reasons:
      1. Due to string interning [1], String values may stay in the heap a lot longer than other Java objects
      2. Because they're immutable, Strings cannot be rewritten (eg. zeroed out) to further reduce the chances of a password being compromised [2]

      [1] http://java.sun.com/j2se/1.5.0/docs/api/java/lang/String.html#intern%28%29
      [2] http://java.sun.com/j2se/1.5.0/docs/guide/security/jce/JCERefGuide.html#PBEEx

            Assignee:
            eliot Eliot Horowitz (Inactive)
            Reporter:
            pmonks Peter Monks
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: