[JAVA-45] DB.authenticate() should use a char[] for the password Created: 22/Oct/09  Updated: 29/Nov/09  Resolved: 22/Oct/09

Status: Closed
Project: Java Driver
Component/s: None
Affects Version/s: 0.11
Fix Version/s: 1.0

Type: Bug Priority: Minor - P4
Reporter: Peter Monks Assignee: Eliot Horowitz (Inactive)
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

n/a



 Description   

As per Java security best practices, passwords should always be stored as char[] rather than String - the DB.authenticate() method currently uses a String for the password.

This is recommended for two reasons:
1. Due to string interning [1], String values may stay in the heap a lot longer than other Java objects
2. Because they're immutable, Strings cannot be rewritten (eg. zeroed out) to further reduce the chances of a password being compromised [2]

[1] http://java.sun.com/j2se/1.5.0/docs/api/java/lang/String.html#intern%28%29
[2] http://java.sun.com/j2se/1.5.0/docs/guide/security/jce/JCERefGuide.html#PBEEx



 Comments   
Comment by Eliot Horowitz (Inactive) [ 29/Nov/09 ]

released

Comment by Peter Monks [ 22/Oct/09 ]

Holy crap that was fast!

Generated at Thu Feb 08 08:51:23 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.