vt-password: Password must not be stored in a String

[GoogleCodeExporter]

What steps will reproduce the problem?
Your API provides a Password constructor with a String as parameter. This 
forces your users to store the plain-text password in a String. This is a 
security issue.

What is the expected output? What do you see instead?
A Passport constructor with a byte/char array as paramater.

What version of the product are you using? On what operating system?
3.1.2

Original issue reported on code.google.com by G.Delafo...@gmail.com on 22 Apr 2014 at 1:28

[GoogleCodeExporter]

Changing String to char[] would provide a very minor security improvement, but 
would also make our APIs much harder to work with.
Some of our Rules require Strings, so deployers would have to be aware that the 
use of some rules will naturally result in the construction of Strings.
Those sorts of concerns make me believe that we're better off educating 
deployers on how to secure their systems rather than attempting to defend 
against this type of attack.

Original comment by dfis...@gmail.com on 10 Oct 2014 at 2:21

• Changed title: vt-password: Password must not be stored in a String
• Changed state: WontFix