[Owasp-leaders] Generating Passwords Hopw

Marco M. Morana marco.m.morana at gmail.com
Sat Jan 17 18:39:30 EST 2009


Rogan

thanks for your follow up and corrections on my previous email.

I actually posted what was discussed on my blog herein
http://securesoftware.blogspot.com/2009/01/java-security-why-not-to-use-string.html

I welcome your comments in light of the shared knowledge

Thanks & Regards

Marco M.

----- Original Message ----- 
From: "Rogan Dawes" <rogan at dawes.za.net>
To: <owasp-leaders at lists.owasp.org>
Cc: "Marco M. Morana" <marco.m.morana at gmail.com>
Sent: Friday, January 16, 2009 3:17 PM
Subject: Re: [Owasp-leaders] Generating Passwords


> Marco M. Morana wrote:
>>
>> Sorry slip by typo in previous email...meant "streing or char are
>> immutable" as an object whose state cannot be altered after it has been
>> initiated, 0.00 Cents...
>>
>> Regards
>>
>> marco
>
> char[] is hardly immutable.
>
> for (int i=0; i<chars.length; i++) {
>  chars[i] = 0;
> }
>
> You can't do that with String, hence the recommendation to use char[]
> for passwords/sensitive information.
>
> Strings also get internalized (saved in an internal cache), which means
> that even when you set the variable to null, the actual String object
> may never be garbage collected.
>
> Anyway, Pravir's suggestion to do a risk assessment is a good one.
>
> Rogan
> 



More information about the OWASP-Leaders mailing list