java String compile

Question

I am writing an application which load files using FTP. The code looks like this:

String username = "username";
String password = "password";

But after compiling I can see those in .class files. Compiled code looks like this:

\00username\00password

So the problem is that i can see the password and login in compiled code. I think that is not good. How can I make java compile strings in bytecode too?

Answer 1

There is no such thing as compiling a String literal to "bytecode." There is a byte representation of a String, however, as you noticed, most text viewers will translate this byte representation to its normal ascii/unicode representation. Either way, storing even an obfuscated username/password is a security hazard, and should never be done.

In order to store a username/password securely you should be accessing it from an external secure file, not hard coding it into the program.

Answer 2

Dicarlo2 said:

In order to store a username/password securely you should be accessing it from an external secure file, not hard coding it into the program.

That is still better than hardcoding it in the Java code, but you may need to know that Strings are interned in a String pool which can be a security problem too.

This is why the Console.readPassword returns a char array instead of a String. http://docs.oracle.com/javase/tutorial/essential/io/cl.html

Second, readPassword returns a character array, not a String, so the password can be overwritten, removing it from memory as soon as it is no longer needed.

But in real applications the passwords are often used as Strings