"Roger L. Whitcomb" <roger.whitc...@actian.com> wrote:

>I had a thought that it would be more secure to pass password data
>around in VFS as byte arrays instead of String objects so they could
>less easily be found by memory dumpers/scanners.  This would apply (for
>instance) to GenericFileName constructor and access methods, etc.
>Obviously, at some point, you have to convert to String (like in
>"GenericFileName.appendCredentials"), but it seems like at least some
>level of obfuscation, as in storing the data as bytes might be useful
>to
>increase security.
>
> 
>
>Thoughts?  Thanks.
>
> 
>
>~Roger Whitcomb
>
>Apache Pivot PMC Chair

<hat type="asf security team member">
Security by obscurity is no security at all.

It provides a trivial obstacle to an attacker, makes debugging annoyingly 
harder and may fool security unaware users into thinking their system is more 
secure than it really is.

If an attacker has gained enough access scan and/or dump the memory of a 
process it is aleady game over for any data passing through that process unless 
a) the data is strongly encrypted and b) the process does not ever have access 
to the decryption key.
</hat>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Reply via email to