How secure is to read a password?

[miguelvelezmj25]

I was looking through your examples for capturing a password and I saw this code in one of your examples

String line = reader.readLine("Enter password> ", mask);

However, it is suggested by the Java API as well as many people on the internet to use a char[] instead of a String so that you can write random bytes to the char[] to avoid having the password in sitting in memory in an immutable object.

Security note: If an application needs to read a password or other secure data, it should use readPassword() or readPassword(String, Object...) and manually zero the returned character array after processing to minimize the lifetime of sensitive data in memory.

Console cons;
char[] passwd;
if ((cons = System.console()) != null && 
        (passwd = cons.readPassword("[%s]", "Password:")) != null) {
    ...
    java.util.Arrays.fill(passwd, ' ');
}

I was wondering if this is addressed in your code base or how do you handle security after the user has entered a password?

[gnodet]

That's currently not supported.
You need to use the method which return a String at the moment.

[miguelvelezmj25]

Is there any type of security implemented in the meantime?