Why is char preferred over String for passwords?
Gareth D.
—The problem
According to the official Java Cryptography Architecture, you should not use String to collect passwords. The guide instead recommends using char[] as an alternative to safely and securely store passwords. Below we consider the reasons why.
The solution
While String may seem like the logical data type to store passwords, a few issues makes it unsuitable. For starters, strings in Java are immutable. This means that once created, String cannot be modified. This is for multiple reasons, including thread safety, class loading, and security. Once created, all strings are added to the string pool, a Java heap where all string literals are stored. These strings remain available in memory until garbage collection takes place. Since they cannot be overwritten, it means our passwords stay in memory, vulnerable to being read by attackers.
A character array, char[], on the other hand, can easily be overwritten or zeroed out after use. It is actually used by core Java methods such as javax.swing.JPasswordField and javax.crypto.spec.PBEKeySpec. Using char[] adds an extra layer of security as our passwords and other sensitive data are no longer held in memory any longer than they should be.
Another reason for not using the String data type for passwords is that our application can easily and accidentally log it. This could be logging to the console, a log file, or a remote logging server. This is a huge risk as the user’s password will be logged in plain text and vulnerable in the case of a breach. This has occurred with industry leaders like Twitter and GitHub.
Storing passwords as a char[] helps prevent accidental logging. When a character array is logged, it prints out the object’s memory location by default instead of the array’s contents, whereas String prints out the string’s contents. The following example shows this:
public static void main(String[] args) { String password = "Password"; char[] securePassword = password.toCharArray(); System.out.println("String: " + password); System.out.println("Char array: " + securePassword); }
The output is as follows:
String: Password Char array: [C@568db2f2
It’s important to note that the use of char[] for passwords is not a substitute for hashing or encryption of passwords, as it only increases security at the application level. Passwords should still be hashed for security purposes when being stored.
- Sentry BlogException Handling in Java (with Real Examples)
- Syntax.fmListen to the Syntax Podcast
- Listen to the Syntax Podcast
![Syntax.fm logo]()
Tasty treats for web developers brought to you by Sentry. Get tips and tricks from Wes Bos and Scott Tolinski.
SEE EPISODES
Considered “not bad” by 4 million developers and more than 100,000 organizations worldwide, Sentry provides code-level observability to many of the world’s best-known companies like Disney, Peloton, Cloudflare, Eventbrite, Slack, Supercell, and Rockstar Games. Each month we process billions of exceptions from the most popular products on the internet.
A peek at your privacy
Here’s a quick look at how Sentry handles your personal information (PII).
×Who we collect PII from
We collect PII about people browsing our website, users of the Sentry service, prospective customers, and people who otherwise interact with us.
What if my PII is included in data sent to Sentry by a Sentry customer (e.g., someone using Sentry to monitor their app)? In this case you have to contact the Sentry customer (e.g., the maker of the app). We do not control the data that is sent to us through the Sentry service for the purposes of application monitoring.
Am I included?PII we may collect about you
- PII provided by you and related to your
- Account, profile, and login
- Requests and inquiries
- Purchases
- PII collected from your device and usage
- PII collected from third parties (e.g., social media)
How we use your PII
- To operate our site and service
- To protect and improve our site and service
- To provide customer care and support
- To communicate with you
- For other purposes (that we inform you of at collection)
Third parties who receive your PII
We may disclose your PII to the following type of recipients:
- Subsidiaries and other affiliates
- Service providers
- Partners (go-to-market, analytics)
- Third-party platforms (when you connect them to our service)
- Governmental authorities (where necessary)
- An actual or potential buyer
We use cookies (but not for advertising)
- We do not use advertising or targeting cookies
- We use necessary cookies to run and improve our site and service
- You can disable cookies but this can impact your use or access to certain parts of our site and service
Know your rights
You may have the following rights related to your PII:
- Access, correct, and update
- Object to or restrict processing
- Port over
- Opt-out of marketing
- Be forgotten by Sentry
- Withdraw your consent
- Complain about us
If you have any questions or concerns about your privacy at Sentry, please email us at compliance@sentry.io.
If you are a California resident, see our Supplemental notice.