4

When i create a runnable jar file from a java source code file from eclipse, i believe it creates a class file which then can be run by the JVM.

The reason i am asking this is because i am going to be making an java application that keeps all my passwords. The app is going consist of an interface that asks for a password and then if the password is correct show the passwords. Here are my questions on this subject:

  • What exactly does a runnable *jar file* consist of?
  • If the runnable jar file consists of a class file, can that class file be interpreted in anyway to be able to see the source code which would revile the passwords?
  • when you run the runnable jar file from cmd and type "java -jar xxx". and "xxx" meaning the file name, does "-jar" mean you are going to run a jar file and "java" means run this following file in the JVM?
  • Is this like .exe files, which can't be un done to readable source code when turned into the .exe file.
animuson
  • 53,861
  • 28
  • 137
  • 147
Jack Trowbridge
  • 763
  • 1
  • 8
  • 9
  • Related: http://stackoverflow.com/questions/2537568/best-java-obfuscator - in short: make sure that nobody can find your passwords even with the source at hand. – assylias Jun 03 '12 at 15:49
  • Jetty uses a simple way to encode passwords so they are not humanly readable. You may want to do something similar. – Thorbjørn Ravn Andersen Jun 06 '14 at 06:23
  • See also http://stackoverflow.com/questions/8584857/encryption-and-decompiling – Raedwald Jul 21 '14 at 12:49
  • Is there a particular reason why you would not use a ready made password manager application? There are various commercial and open source options available that have been developed by people who understand security and have worked hard to avoid the various problems that the answerers of your question have noted. For example [Password Safe](https://www.schneier.com/passsafe.html) is an open source password manager created by Bruce Schneier a well respected cryptographer and security practioner – RobV Jul 21 '14 at 13:23

3 Answers3

7

For the unasked question: If your password is in the source code it will be in the class file in a pretty easy to find way.

A runnable jar file is a jar file (i.e. zip file with jar suffix) containing class files and special file containing information about which class to start.

You can decompile byte code: http://www.program-transformation.org/Transform/JavaDecompilers to get source code. But you can actually see the password in the byte code without decompiling it

yes. in java -jar xxx java means run the jvm using a jar file with name xxx

If you know the language and tools created you should be able to decompile exe file just as class files. And even if not passwords in the source code will be easy to find in the .exe file. So yes jar files are kind of like exe files, but they are different then what you describe.

If you want to make an application to maintain your passwords, make it so that it encrypts the stored passwords using a master password that you provide on startup as a user of the application. Never ever store passwords in source code.

Jens Schauder
  • 77,657
  • 34
  • 181
  • 348
6

Java class files can be disassembled back to readable Java code. Even easier, though, is that you can extract all passwords from the compiled class file because they are stored as plain text (try for example the strings command on a GNU machine).

So, no, the passwords are not inherently safe inside a class file (and therefore not in a jar archive, because jars can easily be unpacked).

What you need to do is implement some sort of encryption and let your program save the passwords in an encrypted file. Your program will then need you to input the decryption key to even be able to unpack the passwords. The key should not be included in the Java program, it should be provided by you each time you run the program.

Emil Vikström
  • 90,431
  • 16
  • 141
  • 175
4

Basically, however hard you try, it can be easily decompiled and read by anyone.

If you can, don't store the password, compare it online on your server (using asynchronous encryption) or store it using a master password given to the application every time.

If you can't, don't store the password as-is. The best thing I can think of is storing (and checking against) the hashcode of the password. User enters the password, it is then SHA-256'd and the resulting hashcode is compared to your stored hashcode of the password. Add salt to protect against rainbow tables.

The idea of this is that the hash function is only one-way, a password can't be recovered from its hash. Therefore, nobody should be able to get your password in a reasonable time if it's strong enough.

A very good read on this are the wiki links - but most notably this article on jasypt.org.

That said - if you tried to encrypt the file containing the hash to add another layer of security, the decrypted password could still be found using a decompiler and a debugger, so don't really count on it being supereffective against someone who would really want to get through. Therefore, it's more a security through obscurity than a real encryption.

Petr Janeček
  • 37,768
  • 12
  • 121
  • 145