char[] preferred over String for passwords in Java. Why is that? - Programmers Heaven

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Categories

char[] preferred over String for passwords in Java. Why is that?

Jeson84Jeson84 USAPosts: 90Member

I was advised by many forum members and some of my colleagues not to use Strings to handle passwords in Java. They recommended using char[]. But they never explained why. Can someone please explain why is that?

Tagged:

Comments

  • DavidMDavidM USAPosts: 342Member

    Following is a quote from Java Cryptography Architecture guide.

    It would seem logical to collect and store the password in an object of type java.lang.String. However, here's the caveat: Objects of type String are immutable, i.e., there are no methods defined that allow you to change (overwrite) or zero out the contents of a String after usage. This feature makes String objects unsuitable for storing security sensitive information such as user passwords. You should always collect and store security sensitive information in a char array instead.

Sign In or Register to comment.