Patches welcome of course :) Gary
On Jul 25, 2013, at 15:10, Anshul Zunke <anshulzu...@gmail.com> wrote: > I was asked to convert String password to character password in my org > because of security issues and same immutable property of string was the > reason for it. > > > On Tue, Jul 9, 2013 at 11:09 PM, Roger L. Whitcomb < > roger.whitc...@actian.com> wrote: > >> Yes, 2.1 was what I meant... >> >> ~Roger Whitcomb >> >> -----Original Message----- >> From: Gary Gregory [mailto:garydgreg...@gmail.com] >> Sent: Monday, July 08, 2013 5:52 PM >> To: Commons Developers List >> Subject: Re: [VFS] Passing around password as byte[] instead >> >> On Mon, Jul 8, 2013 at 7:05 PM, Roger L. Whitcomb < >> roger.whitc...@actian.com >>> wrote: >> >>> Well, that's what .Net did with SecureString, and OpenSSL did as well. >>> There is a longer discussion here: >>> http://stackoverflow.com/questions/8881291/why-is-char-preferred-over- >>> st >>> ring-for-passwords >>> that talks more about the pros and cons. >>> >>> The main reason I bring it up is that, even though it doesn't provide >>> *that much* extra security, providing some help at the API levels >>> seems better than doing nothing ... It seems that, even though it >>> provides only minimal security, it is *still* considered best practice >>> to zero out password fields as soon as possible to minimize the >>> potential security risks. >>> >>> So, seeing that VFS 2.0 is not quite released yet, it seemed like a >>> good time to at least raise the question before the API is cast in stone. >> >> 2.0 has been out for a long time. 2.1 is ready for a release IMO. >> >> Gary >> >> >>> >>> I'd be willing to take a crack at a patch to implement this change if >>> there was enough interest. >>> >>> Thanks, >>> ~Roger >>> >>> -----Original Message----- >>> From: Honton, Charles [mailto:charles_hon...@intuit.com] >>> Sent: Monday, July 08, 2013 3:53 PM >>> To: Commons Developers List >>> Subject: Re: [VFS] Passing around password as byte[] instead >>> >>> Or maybe a Password class that's tailor designed to obsfucate and zero >>> contents... >>> >>> On 7/8/13 3:23 PM, "sebb" <seb...@gmail.com> wrote: >>> >>>> On 8 July 2013 23:05, Roger L. Whitcomb <roger.whitc...@actian.com> >>> wrote: >>>>> I had a thought that it would be more secure to pass password data >>>>> around in VFS as byte arrays instead of String objects so they >>>>> could less easily be found by memory dumpers/scanners. This would >>>>> apply (for >>>>> instance) to GenericFileName constructor and access methods, etc. >>>>> Obviously, at some point, you have to convert to String (like in >>>>> "GenericFileName.appendCredentials"), but it seems like at least >>>>> some >>> >>>>> level of obfuscation, as in storing the data as bytes might be >>>>> useful >>> >>>>> to increase security. >>>> >>>> Another reason for using bytes is that the array can be zeroed out - >>>> or >>> >>>> replaced with fake password to fool hackers ;-) - once it has been >>>> used. >>>> This is not possible with immutable strings. >>>> >>>>> >>>>> >>>>> Thoughts? Thanks. >>>>> >>>>> >>>>> >>>>> ~Roger Whitcomb >>>>> >>>>> Apache Pivot PMC Chair >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >>>> For additional commands, e-mail: dev-h...@commons.apache.org >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >>> For additional commands, e-mail: dev-h...@commons.apache.org >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >>> For additional commands, e-mail: dev-h...@commons.apache.org >> >> >> -- >> E-Mail: garydgreg...@gmail.com | ggreg...@apache.org Java Persistence >> with Hibernate, Second Edition<http://www.manning.com/bauer3/> >> JUnit in Action, Second Edition <http://www.manning.com/tahchiev/> >> Spring Batch in Action <http://www.manning.com/templier/> >> Blog: http://garygregory.wordpress.com >> Home: http://garygregory.com/ >> Tweet! http://twitter.com/GaryGregory >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >> For additional commands, e-mail: dev-h...@commons.apache.org > > > > -- > Anshul Zunke --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
