[Owasp-leaders] Generating Passwords

Jim Manico jim.manico at aspectsecurity.com
Thu Jan 15 19:19:09 EST 2009

If someone is able to profile your ram and steal data from there, you are so screwed - way beyond just password theft.
The likelihood is a very small number, the impact is radicallty high - but the criticality overall is also a low number, so it's not something I think we need to worry about in a server-side Java enviornment.
Jim Manico, Senior Application Security Engineer
jim.manico at aspectsecurity.com
(301) 604-4882 (work)
(808) 652-3805 (cell)

Aspect Security(tm)
Securing your applications at the source


From: owasp-leaders-bounces at lists.owasp.org on behalf of McGovern, James F (HTSC, IT)
Sent: Thu 1/15/2009 4:37 PM
To: owasp-leaders at lists.owasp.org
Subject: [Owasp-leaders] Generating Passwords

I am curious whether others believe that passwords should be done in a way that avoids garbage collection. For example, I could do the below:

public Connection <http://java.sun.com/j2ee/1.4/docs/api/javax/jms/Connection.html>  createConnection(String <http://java.sun.com/j2se/1.4/docs/api/java/lang/String.html>  userName, String <http://java.sun.com/j2se/1.4/docs/api/java/lang/String.html>  password) throws JMSException <http://java.sun.com/j2ee/1.4/docs/api/javax/jms/JMSException.html>  
public Connection <http://java.sun.com/j2ee/1.4/docs/api/javax/jms/Connection.html>  createConnection(String <http://java.sun.com/j2se/1.4/docs/api/java/lang/String.html>  userName, char[] password) throws JMSException <http://java.sun.com/j2ee/1.4/docs/api/javax/jms/JMSException.html>  
Where the later wouldn't allow the password to linger in memory. Do I have a false belief? 

http://www.owasp.org/index.php/Password_length_&_complexity <http://www.owasp.org/index.php/Password_length_&_complexity>  

This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20090115/1500fd7a/attachment-0001.html 

More information about the OWASP-Leaders mailing list