In this blog post we will talk about Which Java data type would you choose for storing sensitive information, like passwords, and Why? Below are the main reason to choose char datatype to store sensitive information, like password.
- There is no way to clear a String Object from the memory, it’s up to GC to collect it.
- String objects are immutable and stored in a String Pool (may reside inside a PermGen space) which may not at all be GC’d.
- Any person taking the heap dump can easily see the String
- In case of a char array, we can always nullify it once we are done with the information, so not much dependency on the GC, thus we are narrowing the time window for the life of sensitive data.
You may also like:
Why Java is not 100% Object-oriented language?
What are the differences between 32-bit and 64-bit versions of Java?
Can we call static method with null object?
Can we override static method in Java?
What will be the output of following java program?
What is the difference Between java.util.Date and java.sql.Date in Java ?
What is difference between using Serializable & Externalizable Interfaces in Java?
That’s all about Which Java data type would you choose for storing sensitive information, like passwords, and Why?
If you have any feedback or suggestion please feel free to drop in blow comment box.