From: SourceForge.net <no...@so...> - 2005-12-22 12:04:55
|
Bugs item #1362792, was opened at 2005-11-21 14:49 Message generated for change (Comment added) made by taphorn You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=712784&aid=1362792&group_id=128809 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Java Client Group: Security Status: Pending Resolution: Fixed Priority: 5 Submitted By: Hendrik Brueckner (hbruckner) Assigned to: Boris Fiuczynski (fiuczy) Summary: setUserPassword(char[]) does not clear old password Initial Comment: Class: org.sblim.wbem.client.PasswordCredential If the setUserPassword(char[]) method is used to change the password of the PasswordCredential, the old password is not cleared and remains in memory until the garbage collector decides to remove it. The old password has to be cleared. To provide better security it might be helpful to store the password in an encrypted version and only decrypt it on request. This reduce the possibility to fetch passwords by running a memory and/or swap analysis tool. ---------------------------------------------------------------------- >Comment By: Wolfgang Taphorn (taphorn) Date: 2005-12-22 13:04 Message: Logged In: YES user_id=1238724 Integrated into build version 1.2.6 ---------------------------------------------------------------------- Comment By: Boris Fiuczynski (fiuczy) Date: 2005-11-22 13:17 Message: Logged In: YES user_id=1334328 Old password is now cleared from memory before new password value is set. In memory encryption of the password has not been implemented. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=712784&aid=1362792&group_id=128809 |