Increased security: store BasicAuthenticator password as a char[] and zero before release

Description

It is best practice to keep passwords in memory, where they can be observed by malicious library code, for as short a time as possible. Java strings are immutable and cannot be zeroed out. Representing the password as a char[] allows it to be cleared when it is released.

Activity

Show:

Blake Meike March 3, 2023 at 7:47 PM

BasicAuthenticator.getPassword(): String is deprecated and replaced with BasicAuthenticator.getPasswordChars() Array<Char>. The returned array is a new copy of the password and the client code is responsible for clearing it.

Fixed

Pinned fields

Click on the next to a field label to start pinning.

Details

Assignee

Blake Meike

Reporter

Blake Meike

Labels

Story Points

Priority

Major

Instabug

Open Instabug

PagerDuty

Sentry

Zendesk Support

Created March 3, 2023 at 7:46 PM

Updated September 17, 2024 at 7:15 PM

Resolved July 24, 2024 at 8:49 PM

Configure

Instabug

Increased security: store BasicAuthenticator password as a char[] and zero before release

Description

Activity

Blake Meike March 3, 2023 at 7:47 PM

Details

Assignee

Reporter

Labels

Story Points

Components

Fix versions

Affects versions

Priority

Instabug

PagerDuty

Sentry

Zendesk Support