Return-Path: X-Original-To: apmail-commons-dev-archive@www.apache.org Delivered-To: apmail-commons-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 8238210CD9 for ; Mon, 8 Jul 2013 22:23:49 +0000 (UTC) Received: (qmail 84798 invoked by uid 500); 8 Jul 2013 22:23:49 -0000 Delivered-To: apmail-commons-dev-archive@commons.apache.org Received: (qmail 84702 invoked by uid 500); 8 Jul 2013 22:23:49 -0000 Mailing-List: contact dev-help@commons.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Commons Developers List" Delivered-To: mailing list dev@commons.apache.org Received: (qmail 84694 invoked by uid 99); 8 Jul 2013 22:23:49 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 08 Jul 2013 22:23:49 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of sebbaz@gmail.com designates 209.85.212.171 as permitted sender) Received: from [209.85.212.171] (HELO mail-wi0-f171.google.com) (209.85.212.171) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 08 Jul 2013 22:23:43 +0000 Received: by mail-wi0-f171.google.com with SMTP id hj3so9524780wib.4 for ; Mon, 08 Jul 2013 15:23:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=QVLMTjb7I7/J+nkGGGzp8A9uzqsIhOgvVN4hw6chGt0=; b=PyJNWfQ/JA0K+Q6wKf79xP6YYZ2AifT3j1gCHkUD+cVwdY4n4KHheu2lBFv9p6zAix JLJu3kVc+N4CtCA64HRsErYg5izu1cu79wyzvzcfpQXUXKNAUfxP9oNUXu/ARFeoC3my E1XJltlJn1Fgx+0SHNa/IpKgD0Ejr6zyzFRUiEyw0hZehuscnC0PIMNGkHQdHRjJiO0K g8fMK35nR6fhgytoE1yDqErdmLaSrXLKG2zuUscokRqJmWG7daSpGh99pXMRbHEpSLSH 9JWKvsqitLtgyJ21dJKv9ij+BJUA+3WUX7jk9tjpVvklomxv1O0npoi7eWcRfh95PQKf 4/5A== MIME-Version: 1.0 X-Received: by 10.180.96.133 with SMTP id ds5mr30336206wib.24.1373322203252; Mon, 08 Jul 2013 15:23:23 -0700 (PDT) Received: by 10.194.152.103 with HTTP; Mon, 8 Jul 2013 15:23:23 -0700 (PDT) In-Reply-To: <6152BDF053E74643B4C0A41150F5ADC301B5C840@USINVMAILB01.ingres.prv> References: <6152BDF053E74643B4C0A41150F5ADC301B5C840@USINVMAILB01.ingres.prv> Date: Mon, 8 Jul 2013 23:23:23 +0100 Message-ID: Subject: Re: [VFS] Passing around password as byte[] instead From: sebb To: Commons Developers List Content-Type: text/plain; charset=ISO-8859-1 X-Virus-Checked: Checked by ClamAV on apache.org On 8 July 2013 23:05, Roger L. Whitcomb wrote: > I had a thought that it would be more secure to pass password data > around in VFS as byte arrays instead of String objects so they could > less easily be found by memory dumpers/scanners. This would apply (for > instance) to GenericFileName constructor and access methods, etc. > Obviously, at some point, you have to convert to String (like in > "GenericFileName.appendCredentials"), but it seems like at least some > level of obfuscation, as in storing the data as bytes might be useful to > increase security. Another reason for using bytes is that the array can be zeroed out - or replaced with fake password to fool hackers ;-) - once it has been used. This is not possible with immutable strings. > > > Thoughts? Thanks. > > > > ~Roger Whitcomb > > Apache Pivot PMC Chair > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org For additional commands, e-mail: dev-help@commons.apache.org