When I learned Java, I learned that Strings were not safe for storing passwords , since you cannot manually clear the memory associated with them (you cannot be sure they will be gc'ed in the end, interned lines will never, and even after gc, you cannot be sure that the contents of the physical memory were really wiped). Instead, I had to use char arrays, so I can disable them after use. I tried to find similar methods in other languages and platforms, but so far I have not been able to find the relevant information (usually all I see are code examples of passwords stored in strings without mentioning any security problem).
I am particularly interested in the situation with browsers. I use jQuery a lot, and my usual approach is to simply set the password field value to an empty string and forget about it:
$(myPasswordField).val("");
But I am not 100% convinced that this is enough. I also don't know if the strings used for intermediate access are safe (for example, when I use $.ajax to send the password to the server). As for other languages, I usually don't see any mention of this problem (the other language I'm interested in is Python).
I know that the issues associated with creating lists are controversial , but since this concerns a general security problem, which is largely ignored, IMHO it's worth it. If I am mistaken, I would be happy to learn only from JavaScript (in browsers) and Python. I was also not sure to ask here, security.SE or programers.SE , but since this includes the actual code for the safe execution of the task (and not the conceptual question). I believe this site is the best option.
Note: in low-level languages or languages that unambiguously support characters as primitive types, the answer should be obvious. (Edit: it's not entirely obvious how @Gabe showed in his answer below). I ask for those high-level languages in which "everything is an object" or something like that, as well as for those who perform automatic rearrangement of lines behind the scenes (so that you can create a security hole without realizing it, carefully enough) .
Update : according to the answer in a related question, even when using char[] , Java is not guaranteed to be bulletproof (or .NET SecureString ), since gc can move the array so that its contents can be inserted into memory even after cleaning (SecureString at least adheres to same RAM address guaranteeing clearing, but its consumers / manufacturers may still leave traces).
I think @NiklasB. correctly, although the vulnerability exists , the probability of an attacker is low, and it is difficult to prevent it, this may be the reason why this problem is mainly ignored. I would like to find at least some link to this problem regarding browsers, but googling is still fruitless for it (does this script even have a name ?).