String is a emutable class which remain in memory untill garbage collection is not performed. whereas character array is mutable and its value can be altered with other value for security reason.
because String object is emutable it remains in memory until it is not removed by garbage collector,so reinitialize it to null will not improve security,it can read by hacker.
@ratnesh reinitializing it to null will not solve the problem.you just make that object eligible for garbage collector.String object is immutable it can not be altered. Suppose by chance you create the another String Object using same string literal it may return same object(Interned String). just get look the following example: String s="password"; String r="password"; System.out.println(s==r) print true bcoz both have reference of same object.
For the above example s and r are equal because they are stored as literals, not as objects.String declared as String s="password" are stored in the string pool and it reuses them.
String stores it's values in string pool which cleans out only with GC. where char doesn't store anything permanently . String stores values as text where char values can be stored as encrypted , so password stealing is difficult with char.
String is a emutable class which remain in memory untill garbage collection is not performed. whereas character array is mutable and its value can be altered with other value for security reason.
ReplyDeleteok then if we reinitialize a string to null. what will happen?...
ReplyDeletebecause String object is emutable it remains in memory until it is not removed by garbage collector,so reinitialize it to null will not improve security,it can read by hacker.
Delete@ratnesh reinitializing it to null will not solve the problem.you just make that object eligible for garbage collector.String object is immutable it can not be altered.
DeleteSuppose by chance you create the another String Object using same string literal it may return same object(Interned String). just get look the following example:
String s="password";
String r="password";
System.out.println(s==r) print true bcoz both have reference of same object.
here are few reason on Why character array is better than String for storing passwords in Java
ReplyDeleteFor the above example s and r are equal because they are stored as literals, not as objects.String declared as String s="password" are stored in the string pool and it reuses them.
ReplyDeleteString stores it's values in string pool which cleans out only with GC. where char doesn't store anything permanently . String stores values as text where char values can be stored as encrypted , so password stealing is difficult with char.
ReplyDelete