I’m using a java library implementation of argon2 which requires to use char array for passwords.
For testing purpose, I want to try it works before adding it to my website but I have some comprehension difficulties about how to not store String input before convert it as a char array.
Basically I’m using Eclipse IDE so I can’t use the Console console = System.console() to use the function console.readPassword(). To reproduce it I’m trying something like this :
char password = new String("test").toCharArray();
But at this point my String is already in memory and can be catch by malicious soft, isn’t it ?
the argon2 library provides a function to wipe the array, but the String would stay here, doesn’t it ?