https://stackoverflow.com/questions/18459332
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianI used String.replaceAll(regex, replace) method, to search for password or emailPassword etc and did the masking. Not sure, if that's the most ideal method to do the masking in this case.
Mask passwords in String
Question
I have been wondering quite a bit on String functions such as replace().
My objective is simple. I have a logger, that logs strings into a text file, that contains passwords which needs to be masked before writing it to the log file.
For example:
str = "-field_value=userId=1,-field_value=password=pass123,-field_value=location=London,-field_value=day=Tuesday,-field_value=emailPassword=pass123,-field_value=fbPassword=pass1234";
Which approach would be the best in this case? The string may or may not end with any password "field_value".
I need to mask all the occurring "Passwords" with their exact length, in this string to get the following output:
str = "-field_value=userId=1,-field_value=password=*******,-field_value=location=London,-field_value=day=Tuesday,-field_value=emailPassword=*******,-field_value=fbPassword=********";
Which would be a more suitable option to use? Normal string handling (using substrings/replaceAll/indexOf) or StringBuilder functions?
Also, how effective is using Regular Expressions in this case? I've never used Regex extensively, so I have little idea on using it for this scenario.
Solution 2
OTHER TIPS
I assume this is C#, but this answer is valid for many other languages.
You must not have passwords in clear text. Just now you do. So that is a huge security concern and it doesn't matter if you put "*" instead of the password. It is there in memory and little skill is needed to extract passwords from memory (given attacker has access to the machine).
A standard approach is that you only store password hash and salt. Now the problem would be how do you convert a password into the hash and how do you securely dispose original password. For this purpose you should use SecureString which encrypts the password string in memory and securely removes it from memory when it is no longer needed.
To give a direct answer to your question: you do not use any approach to replace a password character with a star. Any approach in this case is insecure.
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
