[Owasp-leaders] Generating Passwords

Pravir Chandra chandra at list.org
Thu Jan 15 17:53:22 EST 2009


Doing that in Java is pretty tricky since an array type is an Object
(not a primitive). So, even dropped refs to the array should remain
around until garbage collection. Heck, even if you 'zero out' the char
array, it's entirely possible that copies of the content remain
somewhere in memory since it's all managed by the vm.

p.

On Thu, Jan 15, 2009 at 2:37 PM, McGovern, James F (HTSC, IT)
<James.McGovern at thehartford.com> wrote:
> I am curious whether others believe that passwords should be done in a way
> that avoids garbage collection. For example, I could do the below:
>
> public Connection createConnection(String userName, String password) throws
> JMSException
> Or
> public Connection createConnection(String userName, char[] password) throws
> JMSException
> Where the later wouldn't allow the password to linger in memory. Do I have a
> false belief?
>
> http://www.owasp.org/index.php/Password_length_&_complexity
>
> ************************************************************
> This communication, including attachments, is for the exclusive use of
> addressee and may contain proprietary, confidential and/or privileged
> information.  If you are not the intended recipient, any use, copying,
> disclosure, dissemination or distribution is strictly prohibited.  If you
> are not the intended recipient, please notify the sender immediately by
> return e-mail, delete this communication and destroy all copies.
> ************************************************************
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>



-- 
~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~ ~~~~~~~~ ~~~~~ ~~~ ~~ ~
Pravir Chandra                      chandra<at>list<dot>org
PGP:    CE60 0E10 9207 7290 06EB   5107 4032 63FC 338E 16E4
~ ~~ ~~~ ~~~~~ ~~~~~~~~ ~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~


More information about the OWASP-Leaders mailing list