Search code examples
javaspringjdbchikaricp

String passwords in java on database connections

Recently we have added a tool to find security holes in our organization. One of the issues that was found is that when connecting to a database (ex. using Hikari), we have to provide a String containing the password (encrypted, of course, which will be decrypted when used).

Now, keeping passwords in Strings is not safe, because it can be extracted, until garbage collector comes and clears it.

So we started changing our code to use char[] and byte[] (not sure it's the best, but the idea is that we can clear the array after usage, and not wait for garbage collector to clear it for us) to set our passwords on Hikari, but the last part of the flow is setting an unencrypted password String to Hikari. So all this fuss to find out that Hikari is keeping the password inside a String..

So am I supposed to change Hikari code and recompile it as our own organization implementation of Hikari which use passwords from a char[]? or what?

How can we avoid this?

Solution

  • Now, keeping passwords in Strings is not safe, because it can be extracted, until garbage collector comes and clears it.

    Only if someone has sufficient access to capture what is in memory (or swap space on disk). If someone can do that, they can probably also do one or more of the following:

    • modify your application at the bytecode level to inject code to capture the secret
    • attach a debugger and use it to set a breakpoint at the point where the secret is used
    • read the secret from the file system, database, whatever
    • find the private key for your server's SSL certs and use it to snoop on the HTTPS traffic to your server,
    • walk out of your machine room with your hard drives, etc and then attack them at their leisure
    • and so on.

    Spending a lot of effort to use char[] for handling passwords won't address any of those other ways of stealing the secrets.

    And it won't address various other security blunders ... like porous firewalls, unencrypted backups saved to the cloud, keys on a stolen devops laptop, successful spear phishing, etc.

    So am I supposed to change Hikari code and recompile it as our own organization implementation of Hikari which use passwords from a char[]? or what?

    That is what you would need to do if you wanted to address this attack vector. Don't ever hold passwords in String objects, and make sure that you clear the char[] or byte[] or whatever that you use to hold them as soon as possible.

    Are you "supposed" to do that? Shrug.

    My advice would be to do a full security risk assessment, look at all of the issues and decide whether or not addressing this one will make a significant difference to overall security. Balance that against the costs of creating and maintaining the Hikari patches. On the flip-side, quantify the costs to your organization if (these) passwords were stolen.

    But it is not up to us to decide what you should. And it is not even possible to give you an objective recommendation, because we don't understand the full context.