Why is char[] preferred over String for passwords?

Due to the immutability of Strings, their contents cannot be altered, as any modification would result in a new String object. Once a String object is created and you later decide to change the password, there is no means to empty the string. The only possibility is to render the string eligible for garbage collection. Since Strings are utilized in the String pool for reusability, there is a significant likelihood that they will persist in memory for an extended period, which poses a security risk.

On the other hand, with a char[], you have the ability to explicitly erase the data once you have finished using it. You can overwrite the array with any value of your choosing, ensuring that the password will not exist anywhere in the system, even prior to garbage collection.

Java itself advises the use of the getPassword() method of JPasswordField, which returns a char[], while deprecating the getText() method, which returns the password in clear text, citing security reasons. It is advisable to heed the guidance of the Java team and adhere to established standards, rather than going against them.

Why String is immutable in Java ?

The term "Mutable" denotes the characteristic of an entity being susceptible to change, while "Immutable" signifies the opposite, indicating that the entity is inherently resistant to modification. In the context of objects, an Immutable Object refers to an entity whose state remains unalterable following its creation. Regarding Strings specifically, their immutability denotes that it is not possible to modify the object itself, but it is feasible to modify the reference pointing to the object.

When we describe an object as immutable, we imply that its fundamental attributes, or its internal state, cannot be modified once it has been instantiated. This immutability provides several advantages, including improved predictability, enhanced thread safety, and simplification of concurrent programming. Immutable objects ensure that their values remain constant throughout their existence, eliminating concerns related to accidental modifications or unexpected behavior caused by external factors.

Returning to the specific case of Strings, their immutability is a fundamental characteristic of the Java programming language. Although you cannot alter the content of a String object directly, it is essential to recognize that you can create a new String object with a modified value and assign it to a different reference. This behavior stems from the fact that Strings in Java are implemented as objects rather than primitive data types, and their immutability serves as a means to uphold data integrity and preserve memory efficiency.






Related Topics
  1. Java Interview Questions-Core Faq - 1
  2. Java Interview Questions-Core Faq - 2
  3. Java Interview Questions-Core Faq - 3
  4. What are the major features of Java programming
  1. Difference between Java and JavaScript?
  2. What is the difference between JDK and JRE?
  3. What gives Java its 'write once and run anywhere' nature?
  4. What is JVM and is it platform independent?
  5. What is Just-In-Time (JIT) compiler?
  6. What is the garbage collector in Java?
  7. What is NullPointerException in Java
  8. Difference between Stack and Heap memory in Java
  9. How to set the maximum memory usage for JVM?
  10. What is numeric promotion?
  11. Why do we need Generic Types in Java?
  12. What does it mean to be static in Java?
  13. What are final variables in Java?
  14. How Do Annotations Work in Java?
  15. How do I use the ternary operator in Java?
  16. What is instanceof keyword in Java?
  17. How ClassLoader Works in Java?
  18. What are fail-safe and fail-fast Iterators in Java
  19. What are method references in Java?
  20. "Cannot Find Symbol" compile error
  21. Difference between system.gc() and runtime.gc()
  22. How to convert TimeStamp to Date in Java?
  23. Does garbage collection guarantee that a program will not run out of memory?
  24. How setting an Object to null help Garbage Collection?
  25. How do objects become eligible for garbage collection?
  26. How to calculate date difference in Java
  27. Difference between Path and Classpath in Java
  28. Is Java "pass-by-reference" or "pass-by-value"?
  29. Difference between static and nonstatic methods java
  30. Why Java does not support pointers?
  31. What is a package in Java?
  32. What are wrapper classes in Java?
  33. What is singleton class in Java?
  34. Difference between Java Local Variable, Instance Variable and a Class Variable?
  35. Can a top level class be private or protected in Java
  36. Are Polymorphism , Overloading and Overriding similar concepts?
  37. How to Use Locks in Java
  38. Why Multiple Inheritance is Not Supported in Java
  39. Why Java is not a pure Object Oriented language?
  40. Static class in Java
  41. Difference between Abstract class and Interface in Java
  42. Why do I need to override the equals and hashCode methods in Java?
  43. Why does Java not support operator overloading?
  44. What’s meant by anonymous class in Java?
  45. Static Vs Dynamic class loading in Java
  46. Why am I getting a NoClassDefFoundError in Java?
  47. How to Generate Random Number in Java
  48. What's the meaning of System.out.println in Java?
  49. What is the purpose of Runtime and System class in Java?
  50. The finally Block in Java
  51. Difference between final, finally and finalize
  52. What is try-with-resources in java?
  53. What is a stacktrace?
  54. Why String is immutable in Java ?
  55. What are different ways to create a string object in Java?
  56. Difference between String and StringBuffer/StringBuilder in Java
  57. Difference between creating String as new() and literal | Java
  58. How do I convert String to Date object in Java?
  59. How do I create a Java string from the contents of a file?
  60. What actually causes a StackOverflow error in Java?
  61. What is I/O Filter and how do I use it in Java?
  62. Serialization and Deserialization in Java
  63. Understanding transient variables in Java
  64. What is Externalizable in Java?
  65. What is the purpose of serialization/deserialization in Java?
  66. What is the Difference between byte stream and Character streams
  67. How to append text to an existing file in Java
  68. How to convert InputStream object to a String in Java
  69. What is the difference between Reader and InputStream in Java
  70. Introduction to Java threads
  71. What is synchronization Java?
  72. Static synchronization Vs non static synchronization in Java
  73. Deadlock in Java with Examples
  74. What is Daemon thread in Java
  75. Difference between implements Runnable and extends Thread in Java
  76. What is the volatile keyword in Java
  77. What are the basic interfaces of Java Collections Framework
  78. What are the differences between ArrayList and Vector in Java
  79. What is the difference between ArrayList and LinkedList?
  80. What is the difference between List and Set in Java
  81. Difference between HashSet and HashMap in Java
  82. Difference between HashMap and Hashtable in Java?
  83. How does the hashCode() method of java works?
  84. Difference between capacity() and size() of Vector in Java
  85. What is a Java ClassNotFoundException?
  86. How to fix java.lang.UnsupportedClassVersionError