spring-security/docs/modules/ROOT/pages/servlet/authentication/passwords/erasure.adoc

== Password Erasure

After successful authentication, it is a security best practice to erase credentials from memory to prevent them from being exposed to potential memory dump attacks.
`ProviderManager` in Spring Security supports this practice through the `eraseCredentials` method, which should be invoked after the authentication process is complete.

=== Best Practices

* *Immediate Erasure*: Credentials should be erased immediately after they are no longer needed, which minimizes the window during which the credentials are exposed in memory.
* *Automatic Erasure*: Configure `ProviderManager` to automatically erase credentials post-authentication by setting `eraseCredentialsAfterAuthentication` to `true` (the default).
* *Custom Erasure Strategies*: Implement custom erasure strategies in custom `AuthenticationManager` implementations if the default erasure behavior does not meet specific security requirements.

=== Risk Assessment

Failure to properly erase credentials can lead to several risks:

* *Memory Access Attacks*: Attackers can access raw credentials from memory through exploits like buffer overflow attacks or memory dumps.
* *Insider Threats*: Malicious insiders with access to systems could potentially extract credentials from application memory.
* *Accidental Exposure*: In multi-tenant environments, lingering credentials in memory could accidentally be exposed to other tenants.

=== Implementation

[source,java]
----
public class CustomAuthenticationManager implements AuthenticationManager {

	@Override
	public Authentication authenticate(Authentication authenticationRequest)
			throws AuthenticationException {

		Authentication authenticationResult;
		// TODO: Perform authentication checks...

		// Erase credentials post-check
		if (authenticationResult instanceof CredentialsContainer container) {
			container.eraseCredentials();
		}
	}

}
----

By implementing these practices, organizations can significantly enhance the security of their authentication systems by ensuring that credentials are not left exposed in system memory.
Improve documentation about CredentialsContainer Issue gh-15398 2024-08-11 23:53:41 +08:00			`== Password Erasure`

Polish gh-15554 Closes gh-15398 2024-11-14 04:45:54 +08:00			`After successful authentication, it is a security best practice to erase credentials from memory to prevent them from being exposed to potential memory dump attacks.`
			`ProviderManager` in Spring Security supports this practice through the `eraseCredentials` method, which should be invoked after the authentication process is complete.
Improve documentation about CredentialsContainer Issue gh-15398 2024-08-11 23:53:41 +08:00
			`=== Best Practices`

Polish gh-15554 Closes gh-15398 2024-11-14 04:45:54 +08:00			`* Immediate Erasure: Credentials should be erased immediately after they are no longer needed, which minimizes the window during which the credentials are exposed in memory.`
			* Automatic Erasure: Configure `ProviderManager` to automatically erase credentials post-authentication by setting `eraseCredentialsAfterAuthentication` to `true` (the default).
			* Custom Erasure Strategies: Implement custom erasure strategies in custom `AuthenticationManager` implementations if the default erasure behavior does not meet specific security requirements.
Improve documentation about CredentialsContainer Issue gh-15398 2024-08-11 23:53:41 +08:00
			`=== Risk Assessment`

			`Failure to properly erase credentials can lead to several risks:`

Polish gh-15554 Closes gh-15398 2024-11-14 04:45:54 +08:00			`* Memory Access Attacks: Attackers can access raw credentials from memory through exploits like buffer overflow attacks or memory dumps.`
			`* Insider Threats: Malicious insiders with access to systems could potentially extract credentials from application memory.`
			`* Accidental Exposure: In multi-tenant environments, lingering credentials in memory could accidentally be exposed to other tenants.`
Improve documentation about CredentialsContainer Issue gh-15398 2024-08-11 23:53:41 +08:00
			`=== Implementation`

			`[source,java]`
			`----`
Polish gh-15554 Closes gh-15398 2024-11-14 04:45:54 +08:00			`public class CustomAuthenticationManager implements AuthenticationManager {`

			`@Override`
			`public Authentication authenticate(Authentication authenticationRequest)`
			`throws AuthenticationException {`

			`Authentication authenticationResult;`
			`// TODO: Perform authentication checks...`

			`// Erase credentials post-check`
			`if (authenticationResult instanceof CredentialsContainer container) {`
			`container.eraseCredentials();`
			`}`
			`}`

Improve documentation about CredentialsContainer Issue gh-15398 2024-08-11 23:53:41 +08:00			`}`
			`----`

			`By implementing these practices, organizations can significantly enhance the security of their authentication systems by ensuring that credentials are not left exposed in system memory.`