Password hiding

Printable View

03-03-2009, 08:51 PM
C.A.B.A.L.

Password hiding

Hi, it's my first post :)
I need help: I did an FTP client to connect to a server, but I neeed to put username and password in the very code. Now I'm afraid that someone might de-compile the jar and obtain such passwords and logins. I've tried using pro guard 4.2 to obfuscate the code, but was unable to build something useable.
Any tip? I'm using netbeans 6.5
03-03-2009, 09:03 PM
pbrockway2

Quote:

Any tip?

Yes: rethink whether it's really true that you "neeed to put username and password in the very code". This is the code equivalent of putting the key to your front door under the door mat.

(1) If your statement about the need is false, then don't do it. Don't put the key under the door mat.

(2) If your statement is true and you need to do this, then that's it: just do it. Better yet don't bother with the username/password: it saves bending to just leave the front door wide open.
03-04-2009, 12:08 AM
C.A.B.A.L.

you are clearly right
but I guess I have no other way around. I need this FTP client to send pictures on the server, a friend of mine asked for it. He wants to give this program to his customers, so that they can send him the pictures to print.
But if I have to use FTP I need the username and password to logon to the server. I guess I'll have to just convert the .jar to .exe to make de-compilation more difficult: I talked about this issue with him and he was not worried about it. I mean, we live in a place where many people have problems just turning on the PC, I don't think anyone would ever think about obtaining the data to log on his website and do some damage. Even then, for what he keeps in there, I don't think there will be too much damage.
Still, it's not a good thing to do
03-04-2009, 02:35 AM
angryboy

i agree w/ pbrockway2, but if you're in a jam how about this...
String user = "128123897123987";
String pass = "238447658923412";
ftpServer.connect(decode(user), decode(pass));
now you still have to worry about the decode() method being decompiled... or network sniffing.
03-04-2009, 08:25 AM
emceenugget

encrypt using SHA-1 hash (or MD5). Any password can be cracked, so there's no reason to stray from using tools that are ready to use:

MessageDigest (Java 2 Platform SE v1.4.2)