or reset a string a million times and measure the difference.
at which string size does clearing the memory become a performance problem?
how about reversing the whole operation, clear all strings by default and allow the developer to mark strings as unsecure where performance actually matters.
or clear all strings below a certain size whether they are secure or not. that would at least hinder some timing attacks.
it's a question whether the preference is for speed or security
is this an appropriate way to test this?
gauge{ int i=100000000; while(i){ string a = String.secure("this is a short string"); a = 0; i--; } };
(6) Result: 72.9443
gauge{ int i=100000000; while(i){ string a = "this is a short string"; a = 0; i--; } };
(7) Result: 29.1452
greetings, martin.