
- Java Tutorial
- Java - Home
- Java - Overview
- Java - Environment Setup
- Java - Basic Syntax
- Java - Object & Classes
- Java - Constructors
- Java - Basic Datatypes
- Java - Variable Types
- Java - Modifier Types
- Java - Basic Operators
- Java - Loop Control
- Java - Decision Making
- Java - Numbers
- Java - Characters
- Java - Strings
- Java - Arrays
- Java - Date & Time
- Java - Regular Expressions
- Java - Methods
- Java - Files and I/O
- Java - Exceptions
- Java - Inner classes
- Java Object Oriented
- Java - Inheritance
- Java - Overriding
- Java - Polymorphism
- Java - Abstraction
- Java - Encapsulation
- Java - Interfaces
- Java - Packages
- Java Advanced
- Java - Data Structures
- Java - Collections
- Java - Generics
- Java - Serialization
- Java - Networking
- Java - Sending Email
- Java - Multithreading
- Java - Applet Basics
- Java - Documentation
- Java Useful Resources
- Java - Questions and Answers
- Java - Quick Guide
- Java - Useful Resources
- Java - Discussion
- Java - Examples
Why Char[] array is more secure (store sensitive data) than String in Java?
Both String and Char[] array are used to store the textual data but choosing one over the other is more difficult. Maybe we can get the idea from the immutability of String why char[] array is preferred over String for storing sensitive information data like password, SSN, etc.
- Using the plain string is a much higher chance of accidentally printing the password to logs or some other insecure places where char[] array is less vulnerable.
- Since String is immutable, there is no method defined that allow us to change or overwrite the content of the string. This feature makes string objects unstable for storing secure information such as passwords, SSN, etc. We should always store the secure information in char[] array rather than String.
- Since String is immutable if we store the password as plain text it will be available in memory until the garbage collector cleans it. Since string used String Constant Pool (SCP) for re-usability of a string, there will be a pretty chance that it will remain in memory for a long duration. Since anyone who has access to memory dump can easily find the password in plain text that's another reason should use encrypt password than plain text.
- If we notice in Java Swing applications, there is a method of JPasswordField getPassword() which return char[] and the deprecated method getText() which return the password in plain text. So java itself recommending to use the get password() method.
- Another reason for storing a password in char[] array, because char[] can be sanitized, for example, after usage one can override a clear password with junk, while String is immutable in Java.
Example
public class SecureInfoData { public static void main(String args[]) { String pwd = "string_pass_word"; System.out.println("String Password is: " + pwd); char charPwd[] = "char_pass_word".toCharArray(); System.out.println("Character Password is: " + charPwd); } }
Output
String Password is: string_pass_word Character Password is: [C@6d06d69c
- Related Articles
- Convert Char array to String in Java
- Copy char array to string in Java
- Convert string to char array in Java
- Store unicode in a char variable in Java
- Copy characters from string into char Array in Java
- Java Program to convert Char array to String
- How to store string array in Java JList?
- Case sensitive string comparison in Java.
- Why Java is a Secure Programming Language?
- Convert string to char array in C++
- Append a single character to a string or char array in java?
- Why is char[] preferred over String for storing passwords?
- How to convert string to char array in C++?
- Which cells can store more energy than Ni-Cd cells ?
- Different methods to append a single character to a string or char array in Java

Advertisements