We have a security requirement where we must not leave passwords and other secrets in memory for long. We must “wipe-out” such secrets in memory as soon as we are done with using them. Passwords are currently modeled as an “xsd:string” in our system resulting in a Java String class to manipulate them. Java String is immutable in that there is no way to write spaces or other characters to the memory used by this object after we are done with it.
I don’t see a way to use say a character array to bind passwords. Has anyone else come across this issue? What is the recommended approach? Thanks
