Mitigate credential leaks via memory dumps in Java

Question

We all know that passwords/credentials in Java shall be stored as char array. Its mitigation, not protection.

I always keep my credentials not using immutable objects but soon or later I need to pass it to some class that expects String (from all the 3rd libraries we use). Isn't all the effort gone then? For example: if I want to set authorization header, the header value is stored as String by org.apache.http.message.BasicHeader class. Another example (may be not that good): I use a service that deals with passwords (stores them or something else). It requires them as body in the POST request. I create HttpPost and add StringEntity as body. Its already stored as String and can be dumped again.

Do you manage to keep your credentials relatively safe from memory dumps?

Thanks

Answer 1

After contacting some security experts in the field, I got the following answer:

1. Storing credentials as char[] in Java is a second level of defence. The first one is not to allow them make a memory dump.
2. If the first level is passed we can mitigate how much credentials they will find in the memory.
3. Not using 3rd party libraries is almost impossible nowadays. However in all of my examples the 3rd party libraries have reference to my password for a short period of time. The fact they store it as String does not mean we should not store it properly. We must aim to not store credentials as Strings especially in caches or other places where a reference to that object is hold for a long time.