[Owasp-leaders] Generating Passwords Hopw

McGovern, James F (HTSC, IT) James.McGovern at thehartford.com
Tue Jan 20 09:50:07 EST 2009


 The rationale for me throwing this out was several fold:

1. For whatever reason, I think I made this habit from reading Elliot
Rusty Harold books on network programming.
2. I have been on a rant in the blogosphere regarding the security of
identity federation and all the new ways it exposes weak application
security approaches
3. Since I saw this style in Java, I wonder if there is merit in a
project that walks the JDK and CLR respectively and provides feedback on
weak APIs (e.g. Readline) such that MS and Sun can help champion better
ones while also deprecating weaker ones.


-----Original Message-----
From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Marco M.
Morana
Sent: Saturday, January 17, 2009 6:40 PM
To: Rogan Dawes; owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] Generating Passwords Hopw

Rogan

thanks for your follow up and corrections on my previous email.

I actually posted what was discussed on my blog herein
http://securesoftware.blogspot.com/2009/01/java-security-why-not-to-use-
string.html

I welcome your comments in light of the shared knowledge

Thanks & Regards

Marco M.

----- Original Message -----
From: "Rogan Dawes" <rogan at dawes.za.net>
To: <owasp-leaders at lists.owasp.org>
Cc: "Marco M. Morana" <marco.m.morana at gmail.com>
Sent: Friday, January 16, 2009 3:17 PM
Subject: Re: [Owasp-leaders] Generating Passwords


> Marco M. Morana wrote:
>>
>> Sorry slip by typo in previous email...meant "streing or char are
>> immutable" as an object whose state cannot be altered after it has
been
>> initiated, 0.00 Cents...
>>
>> Regards
>>
>> marco
>
> char[] is hardly immutable.
>
> for (int i=0; i<chars.length; i++) {
>  chars[i] = 0;
> }
>
> You can't do that with String, hence the recommendation to use char[]
> for passwords/sensitive information.
>
> Strings also get internalized (saved in an internal cache), which
means
> that even when you set the variable to null, the actual String object
> may never be garbage collected.
>
> Anyway, Pravir's suggestion to do a risk assessment is a good one.
>
> Rogan
> 

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders
************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************



More information about the OWASP-Leaders mailing list