Home object or container used to store sensitive information
Reply: 3

object or container used to store sensitive information

user3181365
1#
user3181365 Published in 2018-01-13 06:52:26Z

This is asked in one of my interviews:

In Java what object or container is used to store sensitive information?

When I searched I got this link Why is char[] preferred over String for passwords?

So is character array is the right answer to this question?

EJP
2#
EJP Reply to 2018-01-14 08:38:24Z

It could be that the interviewer was after KeyStore, but a more general answer would be SealedObject.

The answer about char only applies as against String, because you can wipe a char but not a String.

Makoto
3#
Makoto Reply to 2018-01-13 06:58:44Z

If I had to hazard a guess, it would likely be the KeyStore class. If you do anything with a signed web certificate (like serve HTTPS in Spring Boot or use Tomcat to serve HTTPS traffic), or need to have some encrypted credentials in-situ in your application, this is the class one typically uses.

Character arrays are great in that they're not as vulnerable to pre-garbage collection attacks, but there's no inherent encryption or security to those by default.

wolcen
4#
wolcen Reply to 2018-01-13 07:12:41Z

Unfortunately, your question ultimately lacks both clarity and context for the question that'd been asked of you, but I'll make the default assumption and go with "a private member" as the most likely desired answer. So: no, I suspect answering with "a character array" may have even raised an eyebrow IF you did not follow up with the specifically recommended use case for char[]s. That use case only has to do with explicitly obfuscating data in memory when you are done with that value and no other inherent protections while you need the value in memory.

You need to login account before you can post.

About| Privacy statement| Terms of Service| Advertising| Contact us| Help| Sitemap|
Processed in 0.318928 second(s) , Gzip On .

© 2016 Powered by mzan.com design MATCHINFO