Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Java - How to store password used in application? [duplicate]

Tags:

java

passwords

store

I'm developing an application which read some data from a db. The connection to the db is performed through standard login/password mechanism.

The problem is: how to store the db password? If I store it as a class member, it can be easily retrieved through a decompiling operation.

I think that obfuscation doesn't solve the problem, since a string password can be found easily also in obfuscated code .

Anyone has suggestions?

like image 809
Mauri Avatar asked Nov 19 '11 15:11

Mauri

People also ask

How do you store application credentials?

If you are storing credentials on the user's machine, store them in some private location: maybe a configuration file or in a directory, preferably one that is only readable by this particular app or this particular user (not a world-readable file).

Why we should not store password in String in Java?

1) Since Strings are immutable in Java if you store the password as plain text it will be available in memory until the Garbage collector clears it and since String is used in the String pool for reusability there is a pretty high chance that it will remain in memory for a long duration, which poses a security threat.

Why Chararray is preferred over String for storing password?

Using the plain string is a much higher chance of accidentally printing the password to logs or some other insecure places where char[] array is less vulnerable. Since String is immutable, there is no method defined that allow us to change or overwrite the content of the string.

1 Answers

Never hard-code passwords into your code. This was brought up recently in the Top 25 Most Dangerous Programming Mistakes

Hard-coding a secret account and password into your software is extremely convenient -- for skilled reverse engineers. If the password is the same across all your software, then every customer becomes vulnerable when that password inevitably becomes known. And because it's hard-coded, it's a huge pain to fix.

You should store configuration information, including passwords, in a separate file that the application reads when it starts. That is the only real way to prevent the password from leaking as a result of decompilation (never compile it into the binary to begin with).

See this wonderful answer for more detailed explanation : By William Brendel

like image 104
COD3BOY Avatar answered Oct 08 '22 19:10

COD3BOY
Sign in to Comment

Related questions

ClassCast error: Java 7 vs Java 8
Chain of Map method references
In Java, why can't I use a lambda as an enhanced for loop's Expression?
Firebase Cloud Messaging notification from Java instead of Firebase Console
Spring @Transactional(Propagation.NEVER) should create Hibernate session?
What is "Locked ownable synchronizers" in thread dump?
How to get started writing a code coverage tool? [closed]
How can I use BitmapRegionDecoder code in android 2.2.2 (Froyo)?
How to short-circuit a reduce() operation on a Stream?
JPA-based JUnit Test Best Practices
Large Java System Dependency Management
Java Reflection: Getting fields and methods in declaration order
Why are initial random numbers similar when using similar seeds?
Polymorphism and inheritance in Avro schemas
How to manually render Spring MVC view to html?
Declare Maven dependency as test runtime only
How to join tables on non Primary Key using JPA and Hibernate
How can I generate entities classes from database using Spring Boot and IntelliJ Idea?
Atomic file write operations (cross platform)
How can I get MIME type of an InputStream of a file that is being uploaded?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!