Password in java code



  • How are you handling password in java code?
    Today I was browsing this site and came to <a href="http://stackoverflow.com/questions/8881291/why-is-char-preferred-over-string-for-passwords>this question.

    Then I look at our source code. All password are stored in string type variables only. So my fellow programmers, how does your code read passwords?

    Please be direct and honest



  • There are other ways that aren't good for handling passwords, I know some things I work on send a password to the DB in plain and the DB does the hashing when seeing if it's valid (meaning an evesdropper can see the password and if it is good or not if they are listening between the systems).



  • By the time another process can read your memory without your permission, you've already got a virus, and nothing you can do will make the password "more secure".


  • Discourse touched me in a no-no place

    @Nagesh said:

    How are you handling password in java code?
    Today I was browsing this site and came to this question.

    I've read that one before. It's full of inaccurate supposition, cargo-cult misconceptions and people who haven't measured what actually happens. Java really does free strings, and often quite rapidly. (This can make managing certain types of cache harder than you would otherwise think, but it isn't a big security problem.) The only strings that aren't mulched over at the usual speed for unneeded objects are those that have been interned, but only a loon would do that with a password. (In fact, they'd be mad if they interned any string explicitly; interning sounds like a much better idea than it really is.)

    There are two benefits to using a character array. You won't print it by accident, and you can clear it once you're done. They're not very big advantages. @Nagesh said:

    Then I look at our source code. All password are stored in string type variables only. So my fellow programmers, how does your code read passwords?
    They are in common security libraries like Spring Security too. I wouldn't worry about it too much. @Nagesh said:
    Please be direct and honest
    OK, this time. Next time I might be circumlocutorily misleading for fun.


  •  Good Point!

     @Ben L. said:

    By the time another process can read your memory without your permission, you've already got a virus, and nothing you can do will make the password "more secure".

     



  • @Ben L. said:

    By the time another process can read your memory without your permission, you've already got a virus, and nothing you can do will make the password "more secure".
    This. I can't believe all those top answers are really suggesting it's to prevent rogue processes from debugging your application and reading its memory. To quote Raymond Chen, "It's already on the wrong side of the airtight hatch."

    The question doesn't mention anything about persistance (not that I saw when I skimmed) so I would add that if you're not storing the password using BCrypt, you're probably doing it wrong. I like to jack the difficulty up to where it takes a good 0.5 - 1.0 seconds to perform the BCrypt hash. No one will even want to bother brute forcing that.



  • @mott555 said:

    I like to jack the difficulty up to where it takes a good 0.5 - 1.0 seconds to perform the BCrypt hash. No one will even want to bother brute forcing that.

    Good man!


Log in to reply