You may well hear such a question in an interview for the Java Junior position. But my friend was asked this during an interview for the position of Technical Lead.
Both
String
, and a character array can be used to store text data. But consciously choosing one or the other for a specific task is difficult if you have not yet encountered a similar situation. However, as my friend pointed out, any question related to
String
, usually involves a special property of strings called immutability (
Immutable
), and he took advantage of this in the interview. So, let's look at a couple of reasons why you should use
char []
, and not , to store your password
String
.
Reason 1. Strings are immutable
Since strings are immutable in Java, your plain text password will be available in memory until the garbage collector clears it. And since
String
they are used
String pool
for repeated use, there is a fairly high probability that the password will remain in memory for a long time, which is not at all secure.
Java String pool is a pool or set of objects (strings) that is located in a special place - the heap. String in Java is one of the most common data types. This is not a primitive type, but an object, since it is very resource-intensive. So, to store a string of four characters, you need to allocate 56 bytes of memory. This is why strings, like other objects, are stored on the heap. |
Anyone with access to a memory dump can find the password in plain text, which is a good reason to use an encrypted password rather than plain text. Because strings are immutable, their contents cannot be changed. Any change will create a new line. But in the case of
char []
, you can replace any of its elements with zero or an empty character. Thus, storing the password in a character array clearly reduces the risk of password interception.
Reason 2. Authors' recommendations
Java itself (well, through its creators, of course) recommends using a method
getPassword ()
from the class
JPasswordField
that returns
char []
. You can also try the deprecated method
getText ()
. Why not follow the recommendations of the language authors?
Reason 3. Print
With a type
String
there is always a danger that the text stored in the string will be printed in the log file or in the console. At the same time, if you use
Array
, you will not print the contents of the array, but only its location in memory. Of course, this is not exactly a serious reason, but still it also makes sense.
String strPassword = "Unknown";
char [] charPassword = new char [] {'U', 'n', 'k', 'w', 'o', 'n'};
System.out.println ("String password:" + strPassword);
System.out.println ("char password:" + charPassword);
String password: Unknown
Character password: [C@110b053
Of course, using
char []
Java to store passwords in itself is not a panacea. You need to take security precautions, such as working with hashes and encrypting passwords rather than storing them in plain text. And, of course, delete it from memory immediately after the authentication procedure.
Based on materials from Javarevisited
GO TO FULL VERSION