...
While this fixes the decryption problem from the previous noncompliant code example, at runtime this code may inadvertently store the passwords as cleartext. Java string objects are immutable, so any time you assign a new value to them it does not necessarily overwrite the part of memory where the string was previously stored. This is because the pass arguments may not be means that it is very difficult to ensure that the cleartext is actually cleared from memory by the Java garbage collector. See See MSC10-J. Limit the lifetime of sensitive data for more information.
...
| Wiki Markup |
|---|
\[[API 2006|AA. Bibliography#API 06]\] Class {{java.security.MessageDigest}} |
| Wiki Markup |
|---|
\[<span style="color: maroon">[API 2006</span>|AA. Bibliography#API 06]\] Class {{java.lang.String}} |
http://www.javapractices.com/topic/TopicAction.do?Id=216 Passwords never in clear text
...
http://en.wikipedia.org/wiki/Cryptographic_hash_function Cryptographic hash function
