Java - How to store password used in application?
I'm developing an application which read some data from a db. The connection to the db is performed through standard login/password mechanism.
The problem is: how to store the db password? If I store it as a class member, it can be easily retrieved through a decompiling operation.
I think that obfuscation doesn't solve the problem, since a string password can be found easily also in obfuscated code .
Anyone has suggestions?
Answer
Never hard-code passwords into your code. This was brought up recently in the Top 25 Most Dangerous Programming Mistakes
Hard-coding a secret account and password into your software is extremely convenient -- for skilled reverse engineers. If the password is the same across all your software, then every customer becomes vulnerable when that password inevitably becomes known. And because it's hard-coded, it's a huge pain to fix.
You should store configuration information, including passwords, in a separate file that the application reads when it starts. That is the only real way to prevent the password from leaking as a result of decompilation (never compile it into the binary to begin with).
See this wonderful answer for more detailed explanation : By William Brendel