char[] preferred over String for passwords in Java. Why is that? - Programmers Heaven

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Welcome to the new platform of Programmer's Heaven! We apologize for the inconvenience caused, if you visited us from a broken link of the previous version. The main reason to move to a new platform is to provide more effective and collaborative experience to you all. Please feel free to experience the new platform and use its exciting features. Contact us for any issue that you need to get clarified. We are more than happy to help you.

char[] preferred over String for passwords in Java. Why is that?

Jeson84Jeson84 USAPosts: 90Member

I was advised by many forum members and some of my colleagues not to use Strings to handle passwords in Java. They recommended using char[]. But they never explained why. Can someone please explain why is that?



  • DavidMDavidM USAPosts: 342Member

    Following is a quote from Java Cryptography Architecture guide.

    It would seem logical to collect and store the password in an object of type java.lang.String. However, here's the caveat: Objects of type String are immutable, i.e., there are no methods defined that allow you to change (overwrite) or zero out the contents of a String after usage. This feature makes String objects unsuitable for storing security sensitive information such as user passwords. You should always collect and store security sensitive information in a char array instead.

Sign In or Register to comment.