commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: [VFS] Passing around password as byte[] instead
Date Mon, 08 Jul 2013 22:26:16 GMT
"Roger L. Whitcomb" <> wrote:

>I had a thought that it would be more secure to pass password data
>around in VFS as byte arrays instead of String objects so they could
>less easily be found by memory dumpers/scanners.  This would apply (for
>instance) to GenericFileName constructor and access methods, etc.
>Obviously, at some point, you have to convert to String (like in
>"GenericFileName.appendCredentials"), but it seems like at least some
>level of obfuscation, as in storing the data as bytes might be useful
>increase security.
>Thoughts?  Thanks.
>~Roger Whitcomb
>Apache Pivot PMC Chair

<hat type="asf security team member">
Security by obscurity is no security at all.

It provides a trivial obstacle to an attacker, makes debugging annoyingly harder and may fool
security unaware users into thinking their system is more secure than it really is.

If an attacker has gained enough access scan and/or dump the memory of a process it is aleady
game over for any data passing through that process unless a) the data is strongly encrypted
and b) the process does not ever have access to the decryption key.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message