Java: Console class
Possible Duplicate:
Why is char[] preferred over string for passwords?
Reading the java documentation, i found this statement about Console class
First, it suppresses echoing, so the password is not visible on the user's screen. Second, readPassword returns a character array, not a String, so the password can be overwritten, removing it from memory as soon as it is no longer needed.
Why a character array can be overwritten and a String not? Or maybe a character array can be overwritted in a more simple way?
A String
could be kept in something called a String pool
by the JVM to manage memory usage for String
s more efficiently. A side effect of this however, is that it may be kept in memory even after you overwrite the reference with a new String
.
A character array however can be directly overwritten, and is therefore safer in this respect.
From the Sun Certified Java Programmer for Java 6 Study Guide:
the readPassword method doesn't return a string: it returns a character array. Here's the reason for this: Once you've got the password, you can verify it and then absolutely remove it from memory. If a string was returned, it could exist in a pool somewhere in memory and perhaps some nefarious hacker could find it.
链接地址: http://www.djcxy.com/p/17890.html上一篇: 为什么要从Object JPasswordField返回一个char []?getPassword()?
下一篇: Java:控制台类