JDK-4150490 : "String" objects should not be used to store passwords
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 1.2.0
  • Priority: P1
  • Status: Closed
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 1998-06-18
  • Updated: 2020-12-16
  • Resolved: 1999-01-15
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
Other
1.2.0 1.2beta4Fixed
Related Reports
Relates :  
JDK-8258373 - Update the text handling in the JPasswordField
Description
It is a safe programming practice to "destroy" a password after it is
no longer used.

However, all the methods in java.security.KeyStore and
java.security.KeyStoreSpi that deal with user-provided passwords
expect those passwords to be supplied as "String" arguments.

This is a potential security hole, because objects of type "String"
are immutable and there is no way to overwrite their memory or
internal value when done.

Once a password is entered into an application, it is in memory. If
that area of memory is not overwritten when the program is done, an
attacker can recover that password by examining memory (or the hard
drive if memory was swapped to disk).

Even the garbage collector will not destroy it. The memory can be
freed, but that will only mark it for use by something else. The
password still exists in memory until some other memory use just
happens to overwrite that location.

If instead passwords were supplied as character arrays (of type
"char[]"), key store implementations (supplied by different providers,
including the one that's built into JDK 1.2) may zeroize the internal
value of the password after it is no longer needed, or may even
obfuscate the password characters while held in memory, and
de-obfuscate them only right before the password is used (and
obfuscate the password again after it was used).

Both RSA Data Security (with their "RSA SecurPC" product) and PGP have
been hit by the same problem.

The java.security.KeyStore and java.security.KeyStoreSpi classes were
introduced in JDK 1.2. Other packages in the JDK that deal with
passwords (e.g., Swing) may want to make similar changes.
Comments
CONVERTED DATA BugTraq+ Release Management Values COMMIT TO FIX: generic FIXED IN: 1.2beta4 INTEGRATED IN: 1.2beta4
14-06-2004
SUGGESTED FIX jan.luehe@Eng 1998-06-18 In the methods below, replace "String password" with "char[] password": java.security.KeyStore: getKey(), setKeyEntry(), store(), load() java.security.KeyStoreSpi: engineGetKey(), engineSetKeyEntry(), engineStore(), engineLoad()
11-06-2004
EVALUATION jan.luehe@Eng 1998-06-23 fixed.
23-06-1998