United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
JDK-4703755 : keytool displays passwords as they are entered

Details
Type:
Enhancement
Submit Date:
2002-06-18
Status:
Closed
Updated Date:
2004-11-17
Project Name:
JDK
Resolved Date:
2004-11-17
Component:
security-libs
OS:
generic,solaris_9,windows_nt
Sub-Component:
java.security
CPU:
generic,x86
Priority:
P3
Resolution:
Duplicate
Affected Versions:
1.4.0
Fixed Versions:

Related Reports
Duplicate:
Duplicate:

Sub Tasks

Description
The keytool displays passwords as they are entered. This
is considered very bad practice from a security point of view.

Example:
# keytool -import -alias patchsigning -file /opt/SUNWppro/etc/certs/patchsigningcert.b64 -keystore /usr/j2se/jre/lib/security/cacerts
Enter keystore password:  foobar
                          ^^^^^^

# java -version
java version "1.4.0_00"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.0_00-b05)
Java HotSpot(TM) Client VM (build 1.4.0_00-b05, mixed mode)
# pkginfo -l SUNWj3rt
   PKGINST:  SUNWj3rt
      NAME:  J2SDK 1.4 runtime environment
  CATEGORY:  system
      ARCH:  sparc
   VERSION:  1.4.0,REV=2002.03.19.23.51
   BASEDIR:  /usr
    VENDOR:  Sun Microsystems, Inc.
      DESC:  Java virtual machine and core class libraries
    PSTAMP:  exactvm-sm19235127
  INSTDATE:  May 06 2002 16:14
   HOTLINE:  Please contact your local service provider
    STATUS:  completely installed
     FILES:      644 installed pathnames
                  14 shared pathnames
                  65 directories
                  60 executables
              107109 blocks used (approx)
# uname -a
SunOS sunhsc 5.9 Generic sun4u sparc SUNW,Ultra-60


                                    

Comments
EVALUATION

###@###.### 2002-06-18

We agree that it would be better not to echo the password back to avoid
the "peeking over the shoulder" attacks. But currently there is no platform
independent way to do this in Java. This is one of the top RFEs filed at
http://developer.java.sun.com/developer/bugParade/top25rfes.html (see 4050435).

So I'm changing this to "rfe". Once rfe 4050435 is implemented, we'll improve
password handling in keytool.

                                     
2004-06-11
SUGGESTED FIX

Use something with the functionality of getpass(3C) or
getpassphrase(3C) to obtain the password from the user.
                                     
2004-06-11



Hardware and Software, Engineered to Work Together