Hi Andriy: Thanks for the quick response.
OWASP has general ideas about storing the password and that is where this requirements on wiping out password comes from, but my question was specific to Apache CXF and XML Schema: How do I get Apache CXF to work in a way that the framework never uses Java String, an immutable object whose memory cannot be accessed by the client, to marshall/unmarshall passwords and other secrets? Nav Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for Windows 10 ________________________________ From: Andriy Redko <[email protected]> Sent: Tuesday, September 4, 2018 7:45:35 PM To: Kumar, Navaneet; [email protected] Subject: [External] Re: How to wipe out passwords and keys Hi Navaneet, The OWASP has a dedicated page related to storing password securily: https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet. Is it helpful? Thank you. Best Regards, Andriy Redko Tuesday, September 4, 2018, 10:47:56 AM, you wrote: KN> We have a security requirement where we must not leave passwords and other secrets in memory for long. We must KN> “wipe-out” such secrets in memory as soon as we are done with using them. KN> Passwords are currently modeled as an “xsd:string” in our system resulting in a Java String class to manipulate them. KN> Java String is immutable in that there is no way to write spaces or other characters to the memory used by this object after we are done with it. KN> I don’t see a way to use say a character array to bind passwords. KN> Has anyone else come across this issue? What is the recommended approach? KN> Thanks
