在创建帐户时,如何安全地将密码存储在内存中? [英] How does one store password hashes securely in memory, when creating accounts?
问题描述
我们基于网络的应用程序使用帐户创建期间指定的密码将用户帐户绑定到用户。在Java的情况下,在将其散列保存到数据库中之前,如何安全地处理密码。更具体地说,如何确保字符串保存密码在足够短的时间间隔内被垃圾收集? ),最好将字符数组中的密码存储起来,而不是将它们存储在字符串中。如果您完成存储密码,则可以使用 Array.fill(),并通过放弃它为垃圾收集器提供引用:
Arrays.fill(password,'');
password = null;
我刚刚注意到,将密码归零会有点偏执,但如果让您确信: )
Our web-based applications has user accounts tied down to users with the passwords specified during account creation. In the case of Java, how does one process the password securely, before persisting its hash in the database.
To be more specific, how does one ensure that the string holding the password is garbage collected within a sufficiently short interval of time ?
If you have the possibility (may be difficult in web applications), it would be better to store passwords in character arrays than to store them in strings. If you finished storing the password you can overwrite it in memory by using Array.fill() and make the reference available for the garbage collector by discarding it:
Arrays.fill(password, ' ');
password = null;
I just noticed that nulling the password would be a bit paranoid but you can do if it reassures you :)
这篇关于在创建帐户时,如何安全地将密码存储在内存中?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
