为什么 char[] 优于 String 的密码?

2022-01-12 00:00:00 string char passwords security java

在 Swing 中,密码字段有一个 getPassword()(返回 char[])方法,而不是通常的 getText()(返回 String) 方法.同样,我遇到了一个建议不要使用 String 来处理密码.

In Swing, the password field has a getPassword() (returns char[]) method instead of the usual getText() (returns String) method. Similarly, I have come across a suggestion not to use String to handle passwords.

为什么 String 在涉及密码时会对安全性构成威胁?使用char[]感觉不方便.

Why does String pose a threat to security when it comes to passwords? It feels inconvenient to use char[].

推荐答案

字符串是不可变的.这意味着一旦您创建了 String,如果另一个进程可以转储内存,则没有办法(除了 reflection) 你可以在 垃圾收集开始.

Strings are immutable. That means once you've created the String, if another process can dump memory, there's no way (aside from reflection) you can get rid of the data before garbage collection kicks in.

使用数组,您可以在完成后显式擦除数据.你可以用任何你喜欢的东西覆盖数组,密码不会出现在系统的任何地方,甚至在垃圾回收之前.

With an array, you can explicitly wipe the data after you're done with it. You can overwrite the array with anything you like, and the password won't be present anywhere in the system, even before garbage collection.

所以是的,这是一个安全问题 - 但即使使用 char[] 也只会减少攻击者的机会之窗,而且它仅适用于这种特定类型的攻击.

So yes, this is a security concern - but even using char[] only reduces the window of opportunity for an attacker, and it's only for this specific type of attack.

如评论中所述,被垃圾收集器移动的数组可能会在内存中留下数据的杂散副本.我相信这是特定于实现的 - 垃圾收集器可能清除所有内存,以避免这种事情.即使是这样,仍然有一段时间 char[] 包含实际字符作为攻击窗口.

As noted in the comments, it's possible that arrays being moved by the garbage collector will leave stray copies of the data in memory. I believe this is implementation-specific - the garbage collector may clear all memory as it goes, to avoid this sort of thing. Even if it does, there's still the time during which the char[] contains the actual characters as an attack window.

相关文章