Why is char[] preferred over String for passwords?

Since Strings are immutable there is no way contents of Strings can be changed because any change will produce new String. Once you create a String object and later decide to change the password , there is no way you can empty out the string. You can only make the string eligible for garbage collection . Since String are used in String pool for reusability there is pretty high chance that it will remain in memory for long duration, which pose a security threat . With an char[] , you can explicitly wipe the data after you're done with it. You can overwrite the array with anything you like, and the password won't be present anywhere in the system, even before garbage collection . Java itself recommends using getPassword() method of JPasswordField which returns a char[] and deprecated getText() method which returns password in clear text stating security reason. Its good to follow advice from Java team and adhering to standard rather than going against it.

Why String is immutable in Java ?

The term Mutable means "can change" and Immutable means "cannot change" . An Immutable Object means that the state of the Object cannot change after its creation. Here the String is immutable means that you cannot change the object itself, but you can change the reference to the object. More about.... String Immutable in Java




Related Topics
  1. Java Interview Questions-Core Faq - 1
  2. Java Interview Questions-Core Faq - 2
  3. Java Interview Questions-Core Faq - 3
  4. Important features of Java
  5. Difference between Java and JavaScript?
  6. What is the difference between JDK and JRE?
  7. What gives Java its 'write once and run anywhere' nature?
  8. What is JVM and is it platform independent?
  9. What is Just-In-Time (JIT) compiler?
  10. What is the garbage collector in Java?
  11. What is NullPointerException in Java
  12. Difference between Stack and Heap memory in Java
  13. How to set the maximum memory usage for JVM?
  14. What is numeric promotion?
  15. Why do we need Generic Types in Java?
  16. What does it mean to be static in Java?
  17. What are final variables in Java?
  18. How Do Annotations Work in Java?
  19. How do I use the ternary operator in Java?
  20. What is instanceof keyword in Java?
  21. How ClassLoader Works in Java?
  22. What are fail-safe and fail-fast Iterators in Java
  23. What are method references?
  24. "Cannot Find Symbol" compile error
  25. Difference between system.gc() and runtime.gc()
  26. How to convert TimeStamp to Date in Java?
  27. Does garbage collection guarantee that a program will not run out of memory?
  28. How setting an Object to null help Garbage Collection?
  29. How do objects become eligible for garbage collection?
  30. How to calculate date difference in Java
  31. Difference between Path and Classpath
  32. Is Java "pass-by-reference" or "pass-by-value"?
  33. Difference between static and nonstatic methods java
  34. Why Java does not support pointers?
  35. What is package in Java?
  36. What are wrapper classes?
  37. What is singleton class in Java?
  38. Difference between Java Local Variable, Instance Variable and a Class Variable?
  39. Can a top level class be private or protected in java
  40. Are Polymorphism , Overloading and Overriding similar concepts?
  41. How to Use Locks in Java
  42. Why Multiple Inheritance is Not Supported in Java
  43. Why Java is not a pure Object Oriented language?
  44. Why can't a Java class be declared as static?
  45. Difference between Abstract class and Interface in Java
  46. Why do I need to override the equals and hashCode methods in Java?
  47. Why does Java not support operator overloading?
  48. What’s meant by anonymous class in Java?
  49. Static Vs Dynamic class loading in Java
  50. Why am I getting a NoClassDefFoundError in Java?
  51. How to generate random integers within a specific range in Java
  52. What's the meaning of System.out.println in Java?
  53. What is the purpose of Runtime and System class?
  54. What is finally block in Java?
  55. What is difference between final, finally and finalize?
  56. What is try-with-resources in java?
  57. What is a stacktrace?
  58. What is the meaning of immutable in terms of String?
  59. What are different ways to create a string object in Java?
  60. Difference between String and StringBuffer/StringBuilder in Java
  61. What is the difference between creating String as new() and literal?
  62. How do I convert String to Date object in Java?
  63. How do I create a Java string from the contents of a file?
  64. What actually causes a StackOverflow error in Java?
  65. What is I/O Filter and how do I use it in Java?
  66. Serialization and Deserialization in Java
  67. Understanding transient variables in Java
  68. What is Externalizable in Java?
  69. What is the purpose of serialization/deserialization in Java?
  70. What is the Difference between byte stream and Character streams
  71. How to append text to an existing file in Java
  72. Read/convert an InputStream to a String in Java
  73. What is the difference between Reader and InputStream in Java
  74. Introduction to Java threads
  75. What is synchronization Java?
  76. Static synchronization Vs non static synchronization in Java
  77. Java Thread Deadlock Tutorial
  78. What is Daemon thread in Java
  79. Difference between implements Runnable and extends Thread in Java
  80. What is the volatile keyword in Java
  81. What are the basic interfaces of Java Collections Framework
  82. What are the differences between ArrayList and Vector in Java
  83. What is the difference between ArrayList and LinkedList?
  84. What is the difference between List and Set in Java
  85. Difference between HashSet and HashMap in Java
  86. Difference between HashMap and Hashtable in Java?
  87. How does the hashCode() method of java works?
  88. Difference between capacity() and size() of Vector in Java
  89. What is a Java ClassNotFoundException?
  90. How to fix java.lang.UnsupportedClassVersionError