> On Oct 10, 2016, at 12:31 PM, Kiran Ayyagari <[email protected]> wrote: > > +1 to change it to string. We can always explicitly mark that as "null" > after using it. > > (IMO if the attacker gained access to the OS then we have a bigger > operational security issues than > implementation)
Kiran, thanks for weighing in. I want to make sure I am understanding…. So at the end of an operation, i.e. createSession ( User user ) we’d do something like this: user.setPassword(null); ? Thanks, Shawn
