创建帐户时,如何将密码哈希安全地存储在内存中?
我们基于 Web 的应用程序将用户帐户绑定到具有在帐户创建期间指定的密码的用户.在 Java 的情况下,如何安全地处理密码,然后将其哈希保存在数据库中.
Our web-based applications has user accounts tied down to users with the passwords specified during account creation. In the case of Java, how does one process the password securely, before persisting its hash in the database.
更具体地说,如何确保保存密码的字符串在足够短的时间间隔内被垃圾回收?
To be more specific, how does one ensure that the string holding the password is garbage collected within a sufficiently short interval of time ?
推荐答案
如果有可能(在 web 应用程序中可能很难),最好将密码存储在字符数组中而不是存储在字符串中.如果您完成了密码的存储,您可以使用 Array.fill() 并通过丢弃它使引用可用于垃圾收集器:
If you have the possibility (may be difficult in web applications), it would be better to store passwords in character arrays than to store them in strings. If you finished storing the password you can overwrite it in memory by using Array.fill() and make the reference available for the garbage collector by discarding it:
Arrays.fill(password, ' ');
password = null;
我刚刚注意到,取消密码有点偏执,但如果它让你放心,你可以这样做:)
I just noticed that nulling the password would be a bit paranoid but you can do if it reassures you :)
相关文章