Closed YuviMeiyappan closed 4 years ago
If an attacker has enough access to dump memory I think you have bigger problems.
One reason the password is stored as a string is that many rules depend on the String API. So much so that your attacker would likely find the password in memory regardless, even if this particular instance of the password was a char[]
.
That said, if you have a patch that demonstrates this change I'll take a look at it.
No feedback from reporter. Feel free to reopen this for further discussion.
https://github.com/vt-middleware/passay/blob/49568154b621e3fd38e88df18f739b015f357033/src/main/java/org/passay/PasswordData.java#L29
String being immutable, anyone who has access to memory dump can read the password. This causes security concern.