You may well hear this question in an interview for a Java Junior position. But my friend was asked for it at an interview for the position of Technical Lead.
Both
String
and a character array can be used to store text data. But the conscious choice of one or the other for a particular task is difficult if you have not yet encountered a similar situation. However, as my friend pointed out, any question related to is
String
usually related to the immutability (
Immutable
) special property of strings, and he took advantage of this in an interview. So, let's look at a couple of reasons why you should use
char []
instead of
String
.
Reason 1: Strings are immutable
Since Java strings are immutable, your plain text password will be available in memory until the garbage collector cleans it up. And because
String
they are used
String pool
for reuse, there is a fairly high probability that the password will remain in memory for a long time, which is not at all safe.
Java String pool is a pool or set of objects (strings) that is located in a special place - a heap (Heap). String in Java is one of the most common data types. This is not a primitive type, but an object, since it is very resource-intensive. So, to store a string of four characters, you need to allocate 56 bytes of memory. This is why strings, like other objects, are stored on the heap. |
Anyone with access to a memory dump can find the password in plain text, and this is a good reason to use an encrypted password rather than plain text. Because strings are immutable, their contents cannot be changed. Any change will result in a new line being created. But in the case of with
char []
, you can replace any of its elements with zero or an empty character. Thus, storing the password in a character array clearly reduces the risk of password sniffing.
Reason 2. Recommendations of the authors
Java itself (well, through its creators, of course) recommends using a method
getPassword ()
from the class
JPasswordField
that returns
char []
. You can also try the deprecated method
getText ()
. Why not follow the recommendations of the authors of the language?
Reason 3. Printing
With a type,
String
there is always the danger that the text stored in a string will be printed in a log file or in the console. At the same time, in the case of using
Array
, you will not print the contents of the array, but only its location in memory. Of course, this is not that serious reason, but still it also makes sense.
String strPassword = "Unknown";
char [] charPassword = new char [] {'U', 'n', 'k', 'w', 'o', 'n'};
System.out.println ("String password:" + strPassword);
System.out.println ("char password:" + charPassword);
String password: Unknown
Character password: [C@110b053
Of course, using
char []
Java to store passwords is not a panacea in and of itself. You need to take care of security, for example, work with hashes and encrypt passwords, and not store them in plain text. And, of course, delete it from memory immediately after the authentication procedure.
Sourced from Javarevisited
GO TO FULL VERSION