[Owasp-leaders] Generating Passwords

Marco M. Morana marco.m.morana at gmail.com
Fri Jan 16 13:59:45 EST 2009

String or char[] are both mutable objects in java so will behave the same way from GC perspective (as copies will be made to handle the references to the same object and deleted when you exit).

>From threat perspective in effect depends on the threat scenario and the context of the application (client vs server code, exposure likelihood etc) as pointed out from Pravir a threat model should drive the source code analysis for the API in question to determine the risk. 

Inherently anyway the risk seems low based considering the time window (as Jim describe while sitting in RAM).

My 0.01 cents :)


OWASP Chapter Lead

Writing Secure Software Blogger


  ----- Original Message ----- 
  From: Sherif Koussa 
  To: owasp-leaders at lists.owasp.org 
  Sent: Thursday, January 15, 2009 8:04 PM
  Subject: Re: [Owasp-leaders] Generating Passwords

  Well, in this particular case, it doesn't really matter because you are creating a copy of the original password which will be deleted either way after createConnection is returned. However, it might make a difference in the code that passes the password to createConnection favouring for the array of characters as data in Strings cann't be deleted. My 0.02$.


  On Thu, Jan 15, 2009 at 5:37 PM, McGovern, James F (HTSC, IT) <James.McGovern at thehartford.com> wrote:

    I am curious whether others believe that passwords should be done in a way that avoids garbage collection. For example, I could do the below:

    public Connection createConnection(String userName, String password) throws JMSException 
    public Connection createConnection(String userName, char[] password) throws JMSException 
    Where the later wouldn't allow the password to linger in memory. Do I have a false belief? 


This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.

    OWASP-Leaders mailing list
    OWASP-Leaders at lists.owasp.org


  OWASP-Leaders mailing list
  OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20090116/4077dd61/attachment.html 

More information about the OWASP-Leaders mailing list