commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gary Gregory <garydgreg...@gmail.com>
Subject Re: [VFS] Passing around password as byte[] instead
Date Thu, 25 Jul 2013 22:16:51 GMT
Patches welcome of course :)

Gary

On Jul 25, 2013, at 15:10, Anshul Zunke <anshulzunke@gmail.com> wrote:

> I was asked to convert String password to character password in my org
> because of security issues and same immutable property of string was the
> reason for it.
>
>
> On Tue, Jul 9, 2013 at 11:09 PM, Roger L. Whitcomb <
> Roger.Whitcomb@actian.com> wrote:
>
>> Yes, 2.1 was what I meant...
>>
>> ~Roger Whitcomb
>>
>> -----Original Message-----
>> From: Gary Gregory [mailto:garydgregory@gmail.com]
>> Sent: Monday, July 08, 2013 5:52 PM
>> To: Commons Developers List
>> Subject: Re: [VFS] Passing around password as byte[] instead
>>
>> On Mon, Jul 8, 2013 at 7:05 PM, Roger L. Whitcomb <
>> Roger.Whitcomb@actian.com
>>> wrote:
>>
>>> Well, that's what .Net did with SecureString, and OpenSSL did as well.
>>> There is a longer discussion here:
>>> http://stackoverflow.com/questions/8881291/why-is-char-preferred-over-
>>> st
>>> ring-for-passwords
>>> that talks more about the pros and cons.
>>>
>>> The main reason I bring it up is that, even though it doesn't provide
>>> *that much* extra security, providing some help at the API levels
>>> seems better than doing nothing ...  It seems that, even though it
>>> provides only minimal security, it is *still* considered best practice
>>> to zero out password fields as soon as possible to minimize the
>>> potential security risks.
>>>
>>> So, seeing that VFS 2.0 is not quite released yet, it seemed like a
>>> good time to at least raise the question before the API is cast in stone.
>>
>> 2.0 has been out for a long time. 2.1 is ready for a release IMO.
>>
>> Gary
>>
>>
>>>
>>> I'd be willing to take a crack at a patch to implement this change if
>>> there was enough interest.
>>>
>>> Thanks,
>>> ~Roger
>>>
>>> -----Original Message-----
>>> From: Honton, Charles [mailto:Charles_Honton@intuit.com]
>>> Sent: Monday, July 08, 2013 3:53 PM
>>> To: Commons Developers List
>>> Subject: Re: [VFS] Passing around password as byte[] instead
>>>
>>> Or maybe a Password class that's tailor designed to obsfucate and zero
>>> contents...
>>>
>>> On 7/8/13 3:23 PM, "sebb" <sebbaz@gmail.com> wrote:
>>>
>>>> On 8 July 2013 23:05, Roger L. Whitcomb <Roger.Whitcomb@actian.com>
>>> wrote:
>>>>> I had a thought that it would be more secure to pass password data
>>>>> around in VFS as byte arrays instead of String objects so they
>>>>> could less easily be found by memory dumpers/scanners.  This would
>>>>> apply (for
>>>>> instance) to GenericFileName constructor and access methods, etc.
>>>>> Obviously, at some point, you have to convert to String (like in
>>>>> "GenericFileName.appendCredentials"), but it seems like at least
>>>>> some
>>>
>>>>> level of obfuscation, as in storing the data as bytes might be
>>>>> useful
>>>
>>>>> to increase security.
>>>>
>>>> Another reason for using bytes is that the array can be zeroed out -
>>>> or
>>>
>>>> replaced with fake password to fool hackers ;-) - once it has been
>>>> used.
>>>> This is not possible with immutable strings.
>>>>
>>>>>
>>>>>
>>>>> Thoughts?  Thanks.
>>>>>
>>>>>
>>>>>
>>>>> ~Roger Whitcomb
>>>>>
>>>>> Apache Pivot PMC Chair
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>>>> For additional commands, e-mail: dev-help@commons.apache.org
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>>> For additional commands, e-mail: dev-help@commons.apache.org
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>>> For additional commands, e-mail: dev-help@commons.apache.org
>>
>>
>> --
>> E-Mail: garydgregory@gmail.com | ggregory@apache.org Java Persistence
>> with Hibernate, Second Edition<http://www.manning.com/bauer3/>
>> JUnit in Action, Second Edition <http://www.manning.com/tahchiev/>
>> Spring Batch in Action <http://www.manning.com/templier/>
>> Blog: http://garygregory.wordpress.com
>> Home: http://garygregory.com/
>> Tweet! http://twitter.com/GaryGregory
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>> For additional commands, e-mail: dev-help@commons.apache.org
>
>
>
> --
> Anshul Zunke

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org


Mime
View raw message