Article
Start
Start learning
JavaRush /Java Blog /Random EN /Q&A: Why is it better to store a password in Java in an a...
Эллеонора Керри
Level 41

Q&A: Why is it better to store a password in Java in an array of characters rather than in a String?

Published in the Random EN group
You may well hear this question in an interview for a Java Junior position. But my friend was asked for it at an interview for the position of Technical Lead.
Q&A: Why is it better to store a password in Java in an array of characters rather than in a String? - 1
Both Stringand a character array can be used to store text data. But the conscious choice of one or the other for a particular task is difficult if you have not yet encountered a similar situation. However, as my friend pointed out, any question related to is Stringusually related to the immutability ( Immutable) special property of strings, and he took advantage of this in an interview. So, let's look at a couple of reasons why you should use char []instead of String.

Reason 1: Strings are immutable

Java-университет
Since Java strings are immutable, your plain text password will be available in memory until the garbage collector cleans it up. And because Stringthey are used String poolfor reuse, there is a fairly high probability that the password will remain in memory for a long time, which is not at all safe.
Java String pool is a pool or set of objects (strings) that is located in a special place - a heap (Heap). String in Java is one of the most common data types. This is not a primitive type, but an object, since it is very resource-intensive. So, to store a string of four characters, you need to allocate 56 bytes of memory. This is why strings, like other objects, are stored on the heap.
Anyone with access to a memory dump can find the password in plain text, and this is a good reason to use an encrypted password rather than plain text. Because strings are immutable, their contents cannot be changed. Any change will result in a new line being created. But in the case of with char [], you can replace any of its elements with zero or an empty character. Thus, storing the password in a character array clearly reduces the risk of password sniffing.

Reason 2. Recommendations of the authors

Java itself (well, through its creators, of course) recommends using a method getPassword ()from the class JPasswordFieldthat returns char []. You can also try the deprecated method getText (). Why not follow the recommendations of the authors of the language?

Reason 3. Printing

With a type, Stringthere is always the danger that the text stored in a string will be printed in a log file or in the console. At the same time, in the case of using Array, you will not print the contents of the array, but only its location in memory. Of course, this is not that serious reason, but still it also makes sense. 
String strPassword = "Unknown";
char [] charPassword = new char [] {'U', 'n', 'k', 'w', 'o', 'n'};
System.out.println ("String password:" + strPassword);
System.out.println ("char password:" + charPassword);

String password: Unknown
Character password: [C@110b053
Of course, using char []Java to store passwords is not a panacea in and of itself. You need to take care of security, for example, work with hashes and encrypt passwords, and not store them in plain text. And, of course, delete it from memory immediately after the authentication procedure. Sourced from Javarevisited
What else to read?

Tricky Java interview questions often asked

How to print numbers from 1 to 100 in Java without loops and conditions?

Using Java Arrays.sort() on any list of objects
Comments
TO VIEW ALL COMMENTS OR TO MAKE A COMMENT,
GO TO FULL VERSION