[cybertim]

How does bitwarden’s backend being build in a gc language matter? There is also an api compatible project in rust called Vaultwarden if gc matters. Is 1password and lastpass’s backend better in that regard? would be nice if he could elaborate on that point.

[chrismeller]

I had the same question.

I think it’s that he also complains about LastPass storing things in memory, so perhaps the GC thing just makes it more difficult to analyze what it’s doing in memory? In a non-GC language you’d be able to see explicitly what is going in and out of memory, but with GC the runtime is doing that for you.

[mdaniel]

> In a non-GC language you’d be able to see explicitly what is going in and out of memory, but with GC the runtime is doing that for you.

I hear you about the GC's calls to free, but if one is concerned about leaking key material, there's an existing pattern for that, no GC nonsense required: use a (byte|char) array and then zero it after use: https://docs.oracle.com/en/java/javase/11/docs/api/java.base...

It runs the same risk as does any general purpose computing in that your process can crash or some attacker can be on the machine sniffing all the things, but it's certainly better than `password = new String("hunter22") // good luck`

I also grant you that managing the key material must be disciplined across the whole lifecycle of that material, so `char[] password = readString().toCharArray()` doesn't help