Why is a `char[]` Preferred Over a String for Passwords?
Lewis D.
—The Problem
If you are writing an application in Java Swing that requires handling passwords, you will notice that the JPasswordField component returns a char array when calling the getPassword() method. There are a number of reasons why a char[] is preferred over a String for handling passwords. Let’s consider them.
The Solution
The fundamental issue with using a string to store a password is the concept of immutability. A String object is immutable in Java (which you can read more about in the Sentry answer to Is Java Pass-By-Reference or Pass-By-Value?). Due to this characteristic, if you were to store a password as a string, this plain text will be accessible until Java’s Garbage Collection clears the unused objects in memory. The immutability of strings means that the String value will not be erased or overwritten on new assignment (rather, a new string is created). With a char[], because these are primitives types we are acting on, we could overwrite the array with any value, meaning we can avoid having sensitive data present in memory once we are done processing it.
Additionally, strings in Java are reserved in a special area in heap memory called the String Constant Pool. When a string is declared in your program, a String object reference is created in stack memory, and additionally, a String object with the string value is created in the heap. The intention of this is for string reusability, but a consequence is that there is a good chance that the string will remain in memory for a prolonged period of time. This is an even bigger security threat.
Another aspect to consider is the risk of printing the password to a logging device. Storing a password as a string does create this possibility, as strings are easily appended to log writers or even the standard system output stream. Conversely, with an array, accidentally printing this to a log or output stream would print the location of the array in memory.
Concluding Thoughts
Using a char[] is certainly a safer option than using a String for handling passwords in Java. It should be noted though, that even if you are using a char[], you should still be hashing passwords for security. Consider the following guide from the Open Web Application Security Project on password storage. Lastly, it is always prudent to explicitly clear a password from memory as soon as it has been used for authentication.
Further Reading
- Sentry BlogException Handling in Java (with Real Examples)
- Syntax.fmListen to the Syntax Podcast
- Listen to the Syntax Podcast
![Syntax.fm logo]()
Tasty treats for web developers brought to you by Sentry. Get tips and tricks from Wes Bos and Scott Tolinski.
SEE EPISODES
Considered “not bad” by 4 million developers and more than 100,000 organizations worldwide, Sentry provides code-level observability to many of the world’s best-known companies like Disney, Peloton, Cloudflare, Eventbrite, Slack, Supercell, and Rockstar Games. Each month we process billions of exceptions from the most popular products on the internet.
A peek at your privacy
Here’s a quick look at how Sentry handles your personal information (PII).
×Who we collect PII from
We collect PII about people browsing our website, users of the Sentry service, prospective customers, and people who otherwise interact with us.
What if my PII is included in data sent to Sentry by a Sentry customer (e.g., someone using Sentry to monitor their app)? In this case you have to contact the Sentry customer (e.g., the maker of the app). We do not control the data that is sent to us through the Sentry service for the purposes of application monitoring.
Am I included?PII we may collect about you
- PII provided by you and related to your
- Account, profile, and login
- Requests and inquiries
- Purchases
- PII collected from your device and usage
- PII collected from third parties (e.g., social media)
How we use your PII
- To operate our site and service
- To protect and improve our site and service
- To provide customer care and support
- To communicate with you
- For other purposes (that we inform you of at collection)
Third parties who receive your PII
We may disclose your PII to the following type of recipients:
- Subsidiaries and other affiliates
- Service providers
- Partners (go-to-market, analytics)
- Third-party platforms (when you connect them to our service)
- Governmental authorities (where necessary)
- An actual or potential buyer
We use cookies (but not for advertising)
- We do not use advertising or targeting cookies
- We use necessary cookies to run and improve our site and service
- You can disable cookies but this can impact your use or access to certain parts of our site and service
Know your rights
You may have the following rights related to your PII:
- Access, correct, and update
- Object to or restrict processing
- Port over
- Opt-out of marketing
- Be forgotten by Sentry
- Withdraw your consent
- Complain about us
If you have any questions or concerns about your privacy at Sentry, please email us at compliance@sentry.io.
If you are a California resident, see our Supplemental notice.