Open In App

Why to use char[] array over a string for storing passwords in Java?

Improve
Improve
Like Article
Like
Save
Share
Report

1. Strings are immutable:  Strings are immutable in Java and therefore if a password is stored as plain text it will be available in memory until Garbage collector clears it and as Strings are used in the String pool for re-usability there are high chances that it will remain in memory for long duration, which is a security threat. Strings are immutable and there is no way that the content of Strings can be changed because any change will produce new String. 
Within an array, the data can be wiped explicitly after its work is completed. The array can be overwritten and the password won’t be present anywhere in the system, even before garbage collection.

2. Security: Any one who has access to memory dump can find the password in clear text and that’s another reason to use encrypted password than plain text.  So Storing password in character array clearly mitigates security risk of stealing password. 

3. Log file safety: With an array, one can explicitly wipe the data , overwrite the array and the password won’t be present anywhere in the system. 
With plain String, there are much higher chances of accidentally printing the password to logs, monitors or some other insecure place. char[] is less vulnerable.

Java




//Java program to illustrate preferring char[] arrays
//over strings for passwords in Java
public class PasswordPreference
{
  
    public static void main(String[] args)
    {
  
        String strPwd = "password";
        char[] charPwd = new char[] {'p','a','s','s','w','o','r','d'};
         
        System.out.println("String password: " + strPwd );
        System.out.println("Character password: " + charPwd );
    }
}


Output: 

String password: password
Character password: [C@15db9742

4. Java Recommendation: Java has methods like JPasswordField of javax.swing as the method public String getText() which returns String is Deprecated from Java 2 and is replaced by public char[] getPassword() which returns Char Array.


Last Updated : 20 Jun, 2022
Like Article
Save Article
Previous
Next
Share your thoughts in the comments
Similar Reads