Miss to call clearPassword for PBEKeySpec

I am reaching out to you as we conducted an empirical study to understand the nature of cryptographic misuses in enterprise-driven projects on GitHub. During our study, we randomly inspected a few of the misuses. One of the misuses for which we could confirm the finding of the analysis, [CogniCryptSAST](https://github.com/CROSSINGTUD/CryptoAnalysis) is within this project.

In the class [PasswordFactory$PBKDF2Password](https://github.com/lutece-platform/lutece-core/blob/master/src/java/fr/paris/lutece/portal/business/user/authentication/PasswordFactory.java#L185) miss to call the method `clearPassword` after generating the password. This method ([JCA](https://docs.oracle.com/javase/8/docs/api/javax/crypto/spec/PBEKeySpec.html#clearPassword--)) clears an internal copy of the password from memory. Thus, it should be called to ensure that an attacker can not obtain the password from memory.

We hope that this report helps you and would be glad to get your thoughts on this issue.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Miss to call clearPassword for PBEKeySpec #289

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Miss to call clearPassword for PBEKeySpec #289

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions