I'm looking for Java's equivalent of .NET's SecureString.aspx. Is there such implementation available in 2018?
OWASP implementation is not exactly the same because it's just a plain char array. While .NET equivalent provides additional features such as the ability to get an instance from/to unmanaged memory and also encryption.
I'm aware of common Java pattern to pass around passwords as char[]
and do Arrays.fill()
them with zeros after use. But it requires building a trivial utility class around char[]
all the time.
Oracle has a
GuardedString
implementation. It is the closest match to .NET'sSecureString
solution.I modified the OWASP version to randomly pad the char array in memory so the char array at rest is not stored with the actual characters.