When handling sensitive data like passwords, avoid unnecessary type conversions that create additional copies in memory. Pass char[] arrays directly to methods that accept them instead of converting to String and back to char[]. This minimizes the number of sensitive data copies in memory and reduces the attack surface.
Example of what to avoid:
// Problematic: creates unnecessary String copy
byte[] passwordBytes = ScramFormatter.normalize(new String(password).toCharArray());
Preferred approach:
// Better: pass char[] directly
byte[] passwordBytes = ScramFormatter.normalize(password);
This practice is important because String objects are immutable and remain in memory until garbage collected, while char[] arrays can be explicitly cleared after use.
Enter the URL of a public GitHub repository