Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Java - How to store password used in application? [duplicate]

I'm developing an application which read some data from a db. The connection to the db is performed through standard login/password mechanism.

The problem is: how to store the db password? If I store it as a class member, it can be easily retrieved through a decompiling operation.

I think that obfuscation doesn't solve the problem, since a string password can be found easily also in obfuscated code .

Anyone has suggestions?

like image 809
Mauri Avatar asked Nov 19 '11 15:11

Mauri


People also ask

How do you store application credentials?

If you are storing credentials on the user's machine, store them in some private location: maybe a configuration file or in a directory, preferably one that is only readable by this particular app or this particular user (not a world-readable file).

Why we should not store password in String in Java?

1) Since Strings are immutable in Java if you store the password as plain text it will be available in memory until the Garbage collector clears it and since String is used in the String pool for reusability there is a pretty high chance that it will remain in memory for a long duration, which poses a security threat.

Why Chararray is preferred over String for storing password?

Using the plain string is a much higher chance of accidentally printing the password to logs or some other insecure places where char[] array is less vulnerable. Since String is immutable, there is no method defined that allow us to change or overwrite the content of the string.


1 Answers

Never hard-code passwords into your code. This was brought up recently in the Top 25 Most Dangerous Programming Mistakes

Hard-coding a secret account and password into your software is extremely convenient -- for skilled reverse engineers. If the password is the same across all your software, then every customer becomes vulnerable when that password inevitably becomes known. And because it's hard-coded, it's a huge pain to fix.

You should store configuration information, including passwords, in a separate file that the application reads when it starts. That is the only real way to prevent the password from leaking as a result of decompilation (never compile it into the binary to begin with).

See this wonderful answer for more detailed explanation : By William Brendel

like image 104
COD3BOY Avatar answered Oct 08 '22 19:10

COD3BOY