Hardcoded Passwords

**k1ng** · 05-17-2012, 04:58 PM

At the moment my app hard codes passwords in order to create, read and update a local database. I want to make this more so hard coding passwords is obviously not the way to go. The problem is that if I store the password anywhere it's then viewable by anyone, if I one way encrypt it I need to store the key somewhere and I'm back where I started. If I two way encrypt it it not much more secure because it's vulnerable to anyone who decompiles my Java app and looks at the decryption algorythm.

How do people get round this problem?

**JosAH** · 05-17-2012, 05:05 PM

What is wrong with one-way-encryption? Suppose the real password is "secret" and the encrypted version (in text form) is "SDK()^&FDS&D&SDVHM*C". It's a hard task to find a matching password ...

kind regards,

Jos

**k1ng** · 05-17-2012, 05:07 PM

It is but like I said, if it's a one way encryption then it needs a decrypt key which then needs to be stored somewhere and I'm back where I started

**JosAH** · 05-17-2012, 05:38 PM

Originally Posted by k1ng

It is but like I said, if it's a one way encryption then it needs a decrypt key which then needs to be stored somewhere and I'm back where I started

That's not how one-way-encrypting works; you never decrypt anything (it can't be done anyway); you encrypt a potential password and check whether or not it matches the encryption of the original password.

kind regards,

Jos

**k1ng** · 05-17-2012, 05:59 PM

Ah, I see what you mean. I got my encryption terminology mixed up. :P
It's still no use though, I need the application to know the password in order to connect to the database so if I have it saved as a hash I still need to have the password in order to compare to the hash before sending it to the database. I would have thought this was a common and often solved problem :(

**JosAH** · 05-17-2012, 06:38 PM

Is a user not supposed to supply a password?

kind regards,

Jos

**k1ng** · 05-17-2012, 09:44 PM

The app is a monitoring app that dumps log files to a database behind the scenes at specified intervals. It's also supposed to be autonomus so it's not practical to ask for the password all the time.

**JosAH** · 05-17-2012, 10:08 PM

There's your catch 22: if nobody supplies a password manually, your application has to 'know' that password and you have to hide it somewhere. Two-way-encryption is the way to go.

kind regards,

Jos

**k1ng** · 05-17-2012, 10:10 PM

Really, that's the best we can do? Do secure database abstraction pattern I can take advantage of? lol

**JosAH** · 05-18-2012, 08:19 AM

Originally Posted by k1ng

Really, that's the best we can do? Do secure database abstraction pattern I can take advantage of? lol

I vaguely remember (or think I remember) that a secure database abstraction pattern was a way to protect the database against sql injection (but I could be wrong).

kind regards,

Jos

**Tolls** · 05-18-2012, 09:33 AM

Where is your database?
If it's on the same machine as the user then I'm really not sure why you are trying to get this so secure.
The password has to exist in some form on that machine, along with whatever encryption.