[Owasp-leaders] Generating Passwords Hopw

Marco M. Morana marco.m.morana at gmail.com
Sat Jan 17 18:39:30 EST 2009


thanks for your follow up and corrections on my previous email.

I actually posted what was discussed on my blog herein

I welcome your comments in light of the shared knowledge

Thanks & Regards

Marco M.

----- Original Message ----- 
From: "Rogan Dawes" <rogan at dawes.za.net>
To: <owasp-leaders at lists.owasp.org>
Cc: "Marco M. Morana" <marco.m.morana at gmail.com>
Sent: Friday, January 16, 2009 3:17 PM
Subject: Re: [Owasp-leaders] Generating Passwords

> Marco M. Morana wrote:
>> Sorry slip by typo in previous email...meant "streing or char are
>> immutable" as an object whose state cannot be altered after it has been
>> initiated, 0.00 Cents...
>> Regards
>> marco
> char[] is hardly immutable.
> for (int i=0; i<chars.length; i++) {
>  chars[i] = 0;
> }
> You can't do that with String, hence the recommendation to use char[]
> for passwords/sensitive information.
> Strings also get internalized (saved in an internal cache), which means
> that even when you set the variable to null, the actual String object
> may never be garbage collected.
> Anyway, Pravir's suggestion to do a risk assessment is a good one.
> Rogan

More information about the OWASP-Leaders mailing list