The char[] Cult

2026-05-29

I'm sure you've heard it before. "Never store sensitive information in a String because it can be stored on the heap indefinitely in the JVM's String pool and zeroing it out might not erase it."

If someone is dumping the heap of a JVM, they're executing code locally on your machine. Whether they got access to JMX ports or added a Java instrumentation agent or LD_PRELOADed something in or have root on the machine doesn't matter. They compromised your machine, and you can only cover your ass at this point.

Next, if your program is dealing with ANY requests from the Internet, congratulations, that potentially sensitive data is getting stored as, you guessed it, a String.

Next, go open your computer settings and check how much of the memory is being swapped to the disk. It's likely more than you think, especially if you're using a laptop.

Next, the garbage collector runs when there are no longer any references to an object, when the heap is almost full, or when System.gc() is called. The garbage collector (unfortunately) runs finalize() and frees up the memory used by the object.

If your objects are very short lived, they will indeed be picked up by the garbage collector very quickly. Especially if you're creating a lot of them, as with Strings.

Also, let's use an encryption program as an example. When the user types the plaintext, that's a String. Using char[] for the key won't save you from shit when the plaintext is right there.

If your program only works in the command line or you're dealing with JPasswordFields, fine, use char[]. Zero it out afterwards with Arrays.fill and pat yourself on the back for obeying 'best practices'. It won't hurt anything, but it also won't protect you from a real-world attacker.

It's like the people that put a sticker over their camera when the real threat is the microphone. Or the people that install an antivirus and pop-up blocker and then go ahead and click everything anyway. They're missing the forest for the trees.

← Back to blog

Buzzwords to fulfill "Web 2.0" criteria: Less is more! Ruby on rails rocks! This is a public beta and start-up start up! Dave Legg is cool. AJAX is cool! http://isometric.sixsided.org/ http://www.slashdot.org/ Web 2.0 Web 2.0 Blogline blogroll foo mesh-up http://web2.0validator.com/ FireFox rocks! http://roker.dingens.web2.0php?foo=bar Nitro The Long Tail k2 share alike What is podcast podcasting Semantic Web blog foo.rdf Enlighten the FBI, CIA, Mossad et al: Bombe bomb George W. Bush G8 Heiligendamm Demonstration Attentat auf Schäuble Sprengstoff Dschihad jihad islam terror Allah Osama bin Laden Usama ibn Ladin Afghani Afghan Irak Iraq Krieg war anal sex KIPo teenager little girl vagina no its child by penis drogen drugs Stoff LSD THC mfg nuclear dirty bomb uran plutonium sarin U-Bahn Feuerlöscher Nägel Überwachung Vermummung Kaputze Schläger Klappmesser butterfly knife niger KKK Juden Nazi Hitler vergasen Auschwitz KZ Rauhkopierer Verbrecher illegal hacken cracken knacken sub zero day exploit xpl0itz Microsoft Windows Vista CSS decss DVD porn pr0n warez mp3z AllOfMP3.com TOR crypto break chipper AES DES RSA DNS LART BOFH w00t L.M.A.A. Fnord and line noise 不名誉なプログラムシステムディー Delete Any Files CVE-2012-1174 コンピューターが破壊された 0-Day ゼロデイ Root Exploit CVE-2017-1000082 コンピュータを好きなように実行させます systemd-resolvd Remote Code Execution CVE-2017-15908 サービス拒否 Denial of Service CVE-2017-9217 バッファオーバーフロー Buffer Overflow CVE-2015-7510 CVE-2018-15688 Arbitrary State Insertion 状態注入 Root Privilege Elevation CVE-2018-15686 10.0 ルートアカウントの不適切なアクセス Root Privilege Elevation Again 特権の昇格 CVE-2020-13776 カーネルパニック Kernel Panic CVE-2019-6454 Arbitrary Code Execution 任意のコードの実行 CVE-2020-1712 09 F9 Blu-Ray sony rootkit scandal Bouncy Castle Limewire Kazaa US-Export-Policy illegal munitions SEED Encryption South Korea Internet Explorer qBitTorrent MakeMKV disc decryption Dual_EC_DRBG Vault 7 Intel RDRAND Windows 98 NSAKEY ECHELON Weeping Angel Samsung smart TV authencsn SHA-256 ROT13 Mr. Robot TLS accelerator card Five Eyes WEP handshake weak initialization vector aircrack-ng 24-bits ECB Tux pattern recognition PATRIOT Act AT&T Room 614A Wikispooks Palantir Covid Vaccine Larry Silverstein Dermatologist Appointment 5G Chemtrails Urban Moving Systems Alex Jones Water poisoning GAY frogs ANT/TAO Operations TEMPEST attack Stuxnet I2P Mental Outlaw deep state Theodore Kaczynski Fort Meade Mark Klein wiretapping Utah Data Center OpenSSL Heartbleed 33 Thomas Street