[Owasp-leaders] Generating Passwords

Sherif Koussa sherif.fathy at gmail.com
Thu Jan 15 20:04:42 EST 2009


Well, in this particular case, it doesn't really matter because you are
creating a copy of the original password which will be deleted either way
after createConnection is returned. However, it might make a difference in
the code that passes the password to createConnection favouring for the
array of characters as data in Strings cann't be deleted. My 0.02$.
Regards,
Sherif

On Thu, Jan 15, 2009 at 5:37 PM, McGovern, James F (HTSC, IT) <
James.McGovern at thehartford.com> wrote:

>  I am curious whether others believe that passwords should be done in a
> way that avoids garbage collection. For example, I could do the below:
>
> public *Connection*<http://java.sun.com/j2ee/1.4/docs/api/javax/jms/Connection.html>
> * createConnection*(*String*<http://java.sun.com/j2se/1.4/docs/api/java/lang/String.html>userName,
> *String* <http://java.sun.com/j2se/1.4/docs/api/java/lang/String.html>password) throws
> *JMSException*<http://java.sun.com/j2ee/1.4/docs/api/javax/jms/JMSException.html>
> Or
> public *Connection*<http://java.sun.com/j2ee/1.4/docs/api/javax/jms/Connection.html>
> * createConnection*(*String*<http://java.sun.com/j2se/1.4/docs/api/java/lang/String.html>userName, char[] password) throws
> *JMSException*<http://java.sun.com/j2ee/1.4/docs/api/javax/jms/JMSException.html>
> Where the later wouldn't allow the password to linger in memory. Do I have
> a false belief?
>
> *http://www.owasp.org/index.php/Password_length_&_complexity*<http://www.owasp.org/index.php/Password_length_&_complexity>
>
> ************************************************************
> This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
> ************************************************************
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20090115/dd13529d/attachment.html 


More information about the OWASP-Leaders mailing list