Java String Passwords

JPasswordField and Console classes return the password as an array and a good practice is to blank out the array characters after making use of the password so that a memory dump won’t reveal the password. This is good. But then, today I am experimenting with JavaMail api and it has a PasswordAuthentication interface that has “public String getPassword()” method. Hmm, so what’s the point in ensuring that secure APIs are used only to make them non-secure in between? Sort of like loading a webpage using https but the form submitted getting posted to http.

This is my third of those rarely “hate java” moments. I documented one in 2008, then another in 2009 and now in 2010. Surely, it’s rare. Isn’t it? :).

On a side note, seems James Gosling said in a 2001 interview about Java

“One of the things that forced Strings to be immutable was security. You have a file open method. You pass a String to it. And then it’s doing all kind of authentication checks before it gets around to doing the OS call. If you manage to do something that effectively mutated the String, after the security check and before the OS call, then boom, you’re in. But Strings are immutable, so that kind of attack doesn’t work. That precise example is what really demanded that Strings be immutable. ”

Update: Now after all the effort I put in to still use System.console().readPassword() because useless on my Mac (OS X 10.6.3) because the “without echo” is not working (meaning the letters are echoing on the screen). Could be a problem with Apple’s version of Java or may be in the underlying OS X call. Don’t know, but now I am really annoyed.

Advertisements

Leave a comment

Filed under Java

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s