Results 1 to 11 of 11
  1. #1
    k1ng is offline Member
    Join Date
    Apr 2012
    Posts
    59
    Rep Power
    0

    Default Hardcoded Passwords

    At the moment my app hard codes passwords in order to create, read and update a local database. I want to make this more so hard coding passwords is obviously not the way to go. The problem is that if I store the password anywhere it's then viewable by anyone, if I one way encrypt it I need to store the key somewhere and I'm back where I started. If I two way encrypt it it not much more secure because it's vulnerable to anyone who decompiles my Java app and looks at the decryption algorythm.

    How do people get round this problem?

  2. #2
    JosAH's Avatar
    JosAH is online now Moderator
    Join Date
    Sep 2008
    Location
    Voorschoten, the Netherlands
    Posts
    13,015
    Blog Entries
    7
    Rep Power
    20

    Default Re: Hardcoded Passwords

    What is wrong with one-way-encryption? Suppose the real password is "secret" and the encrypted version (in text form) is "SDK()^&FDS&D&SDVHM*C". It's a hard task to find a matching password ...

    kind regards,

    Jos
    cenosillicaphobia: the fear for an empty beer glass

  3. #3
    k1ng is offline Member
    Join Date
    Apr 2012
    Posts
    59
    Rep Power
    0

    Default Re: Hardcoded Passwords

    It is but like I said, if it's a one way encryption then it needs a decrypt key which then needs to be stored somewhere and I'm back where I started

  4. #4
    JosAH's Avatar
    JosAH is online now Moderator
    Join Date
    Sep 2008
    Location
    Voorschoten, the Netherlands
    Posts
    13,015
    Blog Entries
    7
    Rep Power
    20

    Default Re: Hardcoded Passwords

    Quote Originally Posted by k1ng View Post
    It is but like I said, if it's a one way encryption then it needs a decrypt key which then needs to be stored somewhere and I'm back where I started
    That's not how one-way-encrypting works; you never decrypt anything (it can't be done anyway); you encrypt a potential password and check whether or not it matches the encryption of the original password.

    kind regards,

    Jos
    cenosillicaphobia: the fear for an empty beer glass

  5. #5
    k1ng is offline Member
    Join Date
    Apr 2012
    Posts
    59
    Rep Power
    0

    Default Re: Hardcoded Passwords

    Ah, I see what you mean. I got my encryption terminology mixed up. :P
    It's still no use though, I need the application to know the password in order to connect to the database so if I have it saved as a hash I still need to have the password in order to compare to the hash before sending it to the database. I would have thought this was a common and often solved problem :(

  6. #6
    JosAH's Avatar
    JosAH is online now Moderator
    Join Date
    Sep 2008
    Location
    Voorschoten, the Netherlands
    Posts
    13,015
    Blog Entries
    7
    Rep Power
    20

    Default Re: Hardcoded Passwords

    Is a user not supposed to supply a password?

    kind regards,

    Jos
    cenosillicaphobia: the fear for an empty beer glass

  7. #7
    k1ng is offline Member
    Join Date
    Apr 2012
    Posts
    59
    Rep Power
    0

    Default Re: Hardcoded Passwords

    The app is a monitoring app that dumps log files to a database behind the scenes at specified intervals. It's also supposed to be autonomus so it's not practical to ask for the password all the time.

  8. #8
    JosAH's Avatar
    JosAH is online now Moderator
    Join Date
    Sep 2008
    Location
    Voorschoten, the Netherlands
    Posts
    13,015
    Blog Entries
    7
    Rep Power
    20

    Default Re: Hardcoded Passwords

    There's your catch 22: if nobody supplies a password manually, your application has to 'know' that password and you have to hide it somewhere. Two-way-encryption is the way to go.

    kind regards,

    Jos
    cenosillicaphobia: the fear for an empty beer glass

  9. #9
    k1ng is offline Member
    Join Date
    Apr 2012
    Posts
    59
    Rep Power
    0

    Default Re: Hardcoded Passwords

    Really, that's the best we can do? Do secure database abstraction pattern I can take advantage of? lol

  10. #10
    JosAH's Avatar
    JosAH is online now Moderator
    Join Date
    Sep 2008
    Location
    Voorschoten, the Netherlands
    Posts
    13,015
    Blog Entries
    7
    Rep Power
    20

    Default Re: Hardcoded Passwords

    Quote Originally Posted by k1ng View Post
    Really, that's the best we can do? Do secure database abstraction pattern I can take advantage of? lol
    I vaguely remember (or think I remember) that a secure database abstraction pattern was a way to protect the database against sql injection (but I could be wrong).

    kind regards,

    Jos
    cenosillicaphobia: the fear for an empty beer glass

  11. #11
    Tolls is offline Moderator
    Join Date
    Apr 2009
    Posts
    11,450
    Rep Power
    19

    Default Re: Hardcoded Passwords

    Where is your database?
    If it's on the same machine as the user then I'm really not sure why you are trying to get this so secure.
    The password has to exist in some form on that machine, along with whatever encryption.
    Please do not ask for code as refusal often offends.

Similar Threads

  1. Strong passwords with Java
    By qwerty53 in forum New To Java
    Replies: 5
    Last Post: 07-13-2011, 11:54 AM
  2. Masking passwords & booking movies
    By suneko in forum New To Java
    Replies: 19
    Last Post: 07-22-2010, 04:46 AM
  3. Tomcat Realm DES encrypted passwords
    By Tokajac in forum Web Frameworks
    Replies: 4
    Last Post: 07-15-2008, 12:32 AM
  4. Taking passwords on the console
    By eva in forum Advanced Java
    Replies: 2
    Last Post: 12-19-2007, 09:28 AM
  5. Replies: 0
    Last Post: 12-15-2007, 08:29 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •