4

I am writing an application which load files using FTP. The code looks like this:

String username = "username";
String password = "password";

But after compiling I can see those in .class files. Compiled code looks like this: 

\00username\00password

So the problem is that i can see the password and login in compiled code. I think that is not good. How can I make java compile strings in bytecode too?

Improve this question
11
  • 16
    First of all I do not think hardcoding your user and password is a good idea. Commented Jan 16, 2013 at 22:39
  • 1
    They're in bytecode already... Commented Jan 16, 2013 at 22:41
  • This is just a showcase. Of cource in real program values are different. But this thing doesn`t change the problem. Commented Jan 16, 2013 at 22:41
  • 3
    The user and password should be rather read from an external source, for example a file to which only certain users have rights including the one that your Java program is executed with. Commented Jan 16, 2013 at 22:42
  • 1
    You do not apply the rights for a program, you apply them for a user of the operating system. Such file systems like EXT2, EXT3, NTFS, RaiserFS have all the features to do so. Commented Jan 16, 2013 at 22:50

4 Answers 4

Reset to default
5

There is no such thing as compiling a String literal to "bytecode." There is a byte representation of a String, however, as you noticed, most text viewers will translate this byte representation to its normal ascii/unicode representation. Either way, storing even an obfuscated username/password is a security hazard, and should never be done.

In order to store a username/password securely you should be accessing it from an external secure file, not hard coding it into the program.

Improve this answer
Sign up to request clarification or add additional context in comments.

16 Comments

Where that file must be placed? I think its not that hard to change permission of any file of program. So that made another problem
You can't change permissions on a file unless you have permission!
@timofeiMih What you need to do in your program is to prompt from the user and password instead of hardcoding it, so in fact a standard FTP client. Logical conclusion: you do not need the program you are writing.
@timofeiMih And once again, an anonymous FTP user which is a standard.
Okay. I understand that i need to look for some another solution... Thanks for helping.
|
2

Dicarlo2 said:

In order to store a username/password securely you should be accessing it from an external secure file, not hard coding it into the program.

That is still better than hardcoding it in the Java code, but you may need to know that Strings are interned in a String pool which can be a security problem too.

This is why the Console.readPassword returns a char array instead of a String. http://docs.oracle.com/javase/tutorial/essential/io/cl.html

Second, readPassword returns a character array, not a String, so the password can be overwritten, removing it from memory as soon as it is no longer needed.

But in real applications the passwords are often used as Strings

Improve this answer

2 Comments

They seems the same in compiled source. So this doesn`t help with problem
I didnd't mean you should hardcode the password as a char array, but you should use an external source and a char array for maximum security.
1

You will need to store your password as an encrypted value. Every access to a password protected instance will use the encrypted password, along with a decrypting algorithm and the key of course. Then you will not have the password in the compiled file. Very bad to have this.

Improve this answer

1 Comment

Is there some implimitation of something similar to this? I know that it is not good to write decryptor by myself.
0

Don't hardcode passwords unless they are encrypted or the like.

If you want to prompt the user for a password on the command line, you can use this method posted on SO. For a Swing GUI, use a JPasswordField.

Hope this helps!!

Improve this answer

6 Comments

nope. I need to provide a ftp access to anybody. Even ecrypting will not work. Because this will be seen too.
If you are providing access to everyone, then why does the service have a password? If anyone can access the service, then what's the point of hiding the password? If you do need to restrict access, you might give people who need access the credentials.
I need a password because they store files in their folders. But the ftp gives access to "images" folder. I can`t make accounts for every user that registrates on my website. For example. The user named "user1" store his file in images/user1
Why not just use their credentials on your site? If user1 has password pass1, you could just have them use these credentials. If someone needs universal access, you could make an admin account with many permissions.
Yes. I get the point. But i can`t make ftp accounts by registration on website.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.