Generator-jhipster: Store passwords in char array instead of java String
Overview of the feature request
Change password field in User from String into char[]
Motivation for or Use Case
I was asked an interesting question during interview if it's okay to store passwords in String, which led me to this question: https://stackoverflow.com/questions/8881291/why-is-char-preferred-over-string-for-passwords . This makes sense and I've noticed that Jhipster is also using String. I think it would be a good practice to store it into char[].
Additional info:
https://docs.oracle.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html#PBEEx
Related issues or PR
I havent't found a related issue/PR
btrajkovski
All 2 comments
Oh yes you are totally right, this could be a real security issue!!
Then the problem is that this is not the only part when the password (or the JWT secret key!) gets read, and we would need to check all of those. I'm not sure this is doable everywhere, for example when you log in, Spring Security uses the Servlet API underneath, and I'm pretty sure this maps the password to a String...
So that means that an admin could have access to passwords, even though they are never written to disk at any time. But I'm not sure we can correct all the use-cases here. Please note that, anyway, if an admin has full access to the JVM, it's very easy for him to modify any code and dump whatever he wants (and I'd go straight to the JWT secret key, personally!).
If anybody is willing to do a full audit here, and provide a solution, I'm totally for it, but I'm not sure it's possible. So if we have no solution I will close this in a few days.
jdubois
on 16 Oct 2018
So if we have no solution I will close this in a few days
I'm closing this, as it seems no one want to investigate and analyze our code to see if it will be easy or not to do it.
pascalgrimaud
on 28 Oct 2018
Related issues
dronavallisaikrishna
路
3Comments
edvjacek
路
3Comments
DanielFran
路
3Comments
tomj0101
路
3Comments
marcelinobadin
路
3Comments
Most helpful comment
Oh yes you are totally right, this could be a real security issue!!
Then the problem is that this is not the only part when the password (or the JWT secret key!) gets read, and we would need to check all of those. I'm not sure this is doable everywhere, for example when you log in, Spring Security uses the Servlet API underneath, and I'm pretty sure this maps the password to a String...
So that means that an admin could have access to passwords, even though they are never written to disk at any time. But I'm not sure we can correct all the use-cases here. Please note that, anyway, if an admin has full access to the JVM, it's very easy for him to modify any code and dump whatever he wants (and I'd go straight to the JWT secret key, personally!).
If anybody is willing to do a full audit here, and provide a solution, I'm totally for it, but I'm not sure it's possible. So if we have no solution I will close this in a few days.