[Owasp-leaders] Generating Passwords

Marco M. Morana marco.m.morana at gmail.com
Fri Jan 16 14:10:39 EST 2009


Sorry slip by typo in previous email...meant "streing or char are immutable" as an object whose state cannot be altered after it has been initiated, 0.00 Cents...

Regards

marco
OWASP Chapter Lead

Writing Secure Software Blogger

 

  ----- Original Message ----- 
  From: Marco M. Morana 
  To: owasp-leaders at lists.owasp.org 
  Sent: Friday, January 16, 2009 1:59 PM
  Subject: Re: [Owasp-leaders] Generating Passwords


  String or char[] are both mutable objects in java so will behave the same way from GC perspective (as copies will be made to handle the references to the same object and deleted when you exit).

  From threat perspective in effect depends on the threat scenario and the context of the application (client vs server code, exposure likelihood etc) as pointed out from Pravir a threat model should drive the source code analysis for the API in question to determine the risk. 

  Inherently anyway the risk seems low based considering the time window (as Jim describe while sitting in RAM).

  My 0.01 cents :)

  Regards

  Marco
  OWASP Chapter Lead

  Writing Secure Software Blogger

   

    ----- Original Message ----- 
    From: Sherif Koussa 
    To: owasp-leaders at lists.owasp.org 
    Sent: Thursday, January 15, 2009 8:04 PM
    Subject: Re: [Owasp-leaders] Generating Passwords


    Well, in this particular case, it doesn't really matter because you are creating a copy of the original password which will be deleted either way after createConnection is returned. However, it might make a difference in the code that passes the password to createConnection favouring for the array of characters as data in Strings cann't be deleted. My 0.02$. 


    Regards,
    Sherif


    On Thu, Jan 15, 2009 at 5:37 PM, McGovern, James F (HTSC, IT) <James.McGovern at thehartford.com> wrote:

      I am curious whether others believe that passwords should be done in a way that avoids garbage collection. For example, I could do the below:

      public Connection createConnection(String userName, String password) throws JMSException 
      Or 
      public Connection createConnection(String userName, char[] password) throws JMSException 
      Where the later wouldn't allow the password to linger in memory. Do I have a false belief? 



      http://www.owasp.org/index.php/Password_length_&_complexity 

************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************

      _______________________________________________
      OWASP-Leaders mailing list
      OWASP-Leaders at lists.owasp.org
      https://lists.owasp.org/mailman/listinfo/owasp-leaders






----------------------------------------------------------------------------


    _______________________________________________
    OWASP-Leaders mailing list
    OWASP-Leaders at lists.owasp.org
    https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20090116/95f637ee/attachment.html 


More information about the OWASP-Leaders mailing list