Java控制台；readPassword，数组如何防止确定密码值? [英] Java Console; readPassword, how does an array protect from determining the password value?

问题描述

我正在阅读其中一本Java认证书中的 java.io.Console 类，可能我错过了上一章的基础知识，但是有人可以在下面解释吗?

I was reading about the java.io.Console class in one of the java certification books, possibly I've missed something fundamental from a previous chapter, but can someone explain the below?

它提到， readPassword 方法返回一个字符数组而不是字符串，以防止潜在的黑客找到该字符串，然后找到密码.

It mentions, that the readPassword method returns a character array instead of a String, to prevent a potential hacker from finding this String and then finding the password.

如何更安全地使用字符数组?如果您可以获得数组中的值，那么您是否无法创建脚本来遍历各种组合并最终找到密码?

How is a character array safer? If you could obtain the values in the array then could you not create a script to loop through various combinations and eventually find the password anyway?

推荐答案

从

Console对象通过其readPassword方法支持安全的密码输入.此方法通过两种方式帮助确保密码输入的安全性.首先，它抑制了回显，因此密码在用户屏幕上不可见.其次，readPassword返回一个字符数组，而不是一个String，因此可以覆盖密码，并在不再需要时将其从内存中删除.

The Console object supports secure password entry through its readPassword method. This method helps secure password entry in two ways. First, it suppresses echoing, so the password is not visible on the user's screen. Second, readPassword returns a character array, not a String, so the password can be overwritten, removing it from memory as soon as it is no longer needed.

这里的想法是，您可以调用

The idea here is that you can call Arrays.fill (or equivalent) to "blank" the char array as soon as you've validated the password, and from that point the password is no longer stored in memory. Since Strings are immutable, the String will remain in the heap until it is garbage collected - which if it manages to get itself interned will be never, and in any other case could still be "too long". All the while it is there, it's potentially vulnerable to sniffing from a variety of vectors.

这篇关于Java控制台；readPassword，数组如何防止确定密码值?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！