Security Flaw In How Jedis Stores Server Password

[saden1]

Jedis stores Redis server password as a String. Both "Java Cryptography Architecture guide" and "Secure Coding Guidelines for Java SE" recommend that sensitive information be stored in char array instead of a String.

[HeartSaVioR]

Hello.
At first, You're right! It saves us from memory attack, core dump, etc.
We need to change method signature, and it means we should break compatibility.
So we can schedule it to major release (currently 3.0.0).
We would very happy with you providing pull request!

Btw, Redis is not designed to strong security. Please refer http://redis.io/topics/security for details.
Especially AUTH command sent to Redis unencrypted, so Redis is exposed to network attacker!

So you should use firewall, or add security layers (ex. SSL) before use Redis.
Only using password never saves us.