• char[] is an arrayof primitive numbers of type char. All it provides is a length attribute, and a way to get and set a charat a given index.
  • Stringis an object, of type java.lang.String, which has a whole lot of useful methods for manipulating Strings. Internally, it uses a char array.
  • In Java, String is immutable that is once a string is created it can’t be changed and if it goes out of the reference it is removed from memory by garbage collector so there is no way we can remove it manually until garbage collector comes in the picture.
  • character array we can remove the data manually and overwrite it with another values even before garbage collection so, char[] is more secure than String for storing passwords because we have control over it, not the garbage collector.
  • Java itself recommends using getPassword() method of JPasswordField which returns a char[] and deprecated getText() method which returns password in clear text maintaining security reason.

Difference Between A String And A Character Array In Java

The biggest difference between the two is the way Garbage Collector(GC) handles each of the object. Since Strings are handled by Java Garbage Collector in a different way than the other traditional objects, it makes String less usable to store sensitive information.

Main reasons to prefer char[] are:

  • Immutability of Strings.
  • Accidental Printing to Logs
  • Recommendation by Java itself

Immutability of Strings

  • Strings in Java are immutable(i.e. once created we can not change its value) and it also uses the String Pool conceptfor reusability  purpose, hence we are left with no option to clear it from the memory until GC clears it from the memory.
  • Because of this there are great chances that the object created will remain in the memory for a long duration and we can’t even change its value. So anyone having access to the memory dump can easily retrieve the exact password from the memory.
  • For this we can also use the encryption techniques so that if someone access then will get the encrypted copy of the password.
  • But with character arraywe can ourselves remove out the data from the array and there would be no traces of password into the memory.

Code:-

java code
public class WikiPasswordSecurityExample 
{

public static void main(String[] args)
{

char[] password = { 'p', 'a', 's', 's', 'w', 'o', 'r', 'd' };

// Changing value of all characters in password
for (int i = 0; i < password.length; i++) {
password[i] = 'y';
}

System.out.print("New Password - ");
// Priniting new Password
for (int i = 0; i < password.length; i++) {
System.out.print(password[i]);
}
}
}
[ad type=”banner”]

Output:-

New Password – yyyyyyyy

In the above example we can see that the array holding the value of Password is changed and now no traces of the actual password exists in the memory. So anyone even with memory dumps can not retrieve the password.

why Strings are Immutable are listed below-

  • Security in multithreaded environment
  • To provide string pool facility
  • Now strings can cache their hash code
  • To provide facility for other functionalities
  • To provide security features

Accidental Printing to Logs

  • Along with the memory dump protection storing passwords in Strings also prevent accidental logging of password in Text files, consoles, monitors and other insecure places.
  • But in the same scenario char array is not print a value same as when we use toString() method.
java code
public class WikiPasswordSecurityExample 
{

public static void main(String[] args)
{

String password = "password";
char[] password2;

System.out.println("Printing String -> " + password);

password2 = password.toCharArray();
System.out.println("Printing Char Array -> " + password2);
}
}

Output:-

Printing String -> password

Printing Char Array -> [C@21882d18

Recommendation by Java itself

  • Java itself recommends the use of Char Array instead of Strings. It is clear from the JPasswordField of javax.swing as the method public String getText() which returns String is Deprecated from Java 2 and is replaced by public char[] getPassword() which returns Char Array.
[ad type=”banner”]

Categorized in: