If your class implementation knows it doesn't the password again after authentication, just null it out. Once you no longer need it, blast it away.
Regarding toString(), make sure it doesn't dump that. Yes. However, char[] doesn't offer better security if the tool is a heap dump. A String just uses char[] internally. The other option -- and it's so over-the-top -- is to keep the value encrypted in memory and decrypt it upon demand. Paul On Mon, Aug 19, 2013 at 9:29 AM, Gary Gregory <[email protected]>wrote: > On Mon, Aug 19, 2013 at 10:25 AM, Paul Benedict <[email protected]>wrote: > >> Do you need the password ever after authentication? >> > > I guess it depends on whether the code handles re-auth in case of a > disconnect. > > Gary > > >> >> On Mon, Aug 19, 2013 at 8:55 AM, Gary Gregory <[email protected]>wrote: >> >>> On Mon, Aug 19, 2013 at 7:27 AM, Ralph Goers <[email protected]> wrote: >>> >>>> What passwords? >>>> >>> >>> For example: >>> >>> - org.apache.logging.log4j.core.net.SMTPManager.FactoryData.password >>> - org.apache.logging.log4j.core.net.JMSTopicManager.password >>> - org.apache.logging.log4j.core.net.JMSQueueManager.FactoryData.password >>> >>> Gary >>> >>>> >>>> Ralph >>>> >>>> On Aug 19, 2013, at 4:22 AM, Gary Gregory <[email protected]> >>>> wrote: >>>> >>>> I've seen it done many places: Should we track passwords internally as >>>> char[] instead of String for ivars. >>>> >>>> This prevents Log4j spilling your secrets by accident in a toString to >>>> internal log call. >>>> >>>> Gary >>>> >>>> -- >>>> E-Mail: [email protected] | [email protected] >>>> Java Persistence with Hibernate, Second >>>> Edition<http://www.manning.com/bauer3/> >>>> JUnit in Action, Second Edition <http://www.manning.com/tahchiev/> >>>> Spring Batch in Action <http://www.manning.com/templier/> >>>> Blog: http://garygregory.wordpress.com >>>> Home: http://garygregory.com/ >>>> Tweet! http://twitter.com/GaryGregory >>>> >>>> >>> >>> >>> -- >>> E-Mail: [email protected] | [email protected] >>> Java Persistence with Hibernate, Second >>> Edition<http://www.manning.com/bauer3/> >>> JUnit in Action, Second Edition <http://www.manning.com/tahchiev/> >>> Spring Batch in Action <http://www.manning.com/templier/> >>> Blog: http://garygregory.wordpress.com >>> Home: http://garygregory.com/ >>> Tweet! http://twitter.com/GaryGregory >>> >> >> >> >> -- >> Cheers, >> Paul >> > > > > -- > E-Mail: [email protected] | [email protected] > Java Persistence with Hibernate, Second > Edition<http://www.manning.com/bauer3/> > JUnit in Action, Second Edition <http://www.manning.com/tahchiev/> > Spring Batch in Action <http://www.manning.com/templier/> > Blog: http://garygregory.wordpress.com > Home: http://garygregory.com/ > Tweet! http://twitter.com/GaryGregory > -- Cheers, Paul
