0

I know that it is unsafe to store passwords as Strings in java source code. Generally it is a good idea to store it in variable having char[] type. Is it safe to store password in following form?

char[] password = "my password".toCharArray();

Does string "my password" appear in compiled java class file? As far as I can see, "my password" does not appear in my class file after I have compiled the source code. But I am still not 100% sure that I can store password using described representation.

Could I safely use this construct and be sure password is protected unless somebody gets it from the source code?

EDIT: what if I store key instead of password in described format: "key".toCharArray()? Does it reduce chance of my password to be hacked?

altern
  • 5,829
  • 5
  • 44
  • 72
  • 2
    Calling a function on a string literal does not magically make the string literal safer. – SLaks Nov 06 '13 at 03:56
  • What's "key" supposed to be? – Johannes H. Nov 06 '13 at 04:00
  • Oh, and BTW: Where did you get the "It's a good idea to store it as an array" from? AFAIK that's of no use (see my answer below) - so I'm curious where you got that from. – Johannes H. Nov 06 '13 at 04:02
  • @JohannesH. I am using following approach: http://stackoverflow.com/a/1133815/50962 – altern Nov 06 '13 at 04:06
  • @JohannesH. And here is another link: http://stackoverflow.com/a/12981202/50962 – altern Nov 06 '13 at 04:07
  • About encryption: As mentioned in the answer, the problem is just shifted, The original password is now secure, but the encryption password is not. And as long as you got access to that, you can always use it to get the original one again. | About the array: The answer you read refers to runtime security (having the string in memory). The chars are still in the binary. – Johannes H. Nov 06 '13 at 04:11
  • Another thing you should keep in mind: I the whole thing is about a program that should have access to some network resource that is password-protected, every user of that program can always catch the password when it's submitted. When i doubt, even if you're using SSL for those connections - the user can always edit your binary to get around that. – Johannes H. Nov 06 '13 at 04:14

6 Answers6

5

There is no safe way to store a password in source, period.

Any information that your code can read, a skilled attacker can also read.

SLaks
  • 868,454
  • 176
  • 1,908
  • 1,964
2

Arrays of chars appear in the data part of the compiled binary code, the same way strings do. And they have to - how else is the JVM supposed to know what's in that array? So it's really just "security by obscurity", which should never be done (and doesn't help a thing).

Even more, the way you are doing it (creating the string first and converting it into an array) does not even obscure things - the string is still created first, and therefore part of the data part of your binary.

Johannes H.
  • 5,875
  • 1
  • 20
  • 40
1

Password appearing in a cleartext is unsafe and yes it will be visible in your .class file. Also note that cleartext password are unsafe be in code/file/db. You should use a good password encryption/decryption algorithm to save your passwords.

Juned Ahsan
  • 67,789
  • 12
  • 98
  • 136
1

As others have mentioned, it is generally a very bad idea to store a password in your code, although one-way hashing functions may offer you an acceptable level of security.

To demonstrate why the technique you propose is not secure, try compiling the following file:

// Password.java
public class Password {
  private String strPass = "i<3bieber";
  private char[] chrPass = "belieber".toCharArray();
}

and on the commandline:

$ javac Password.java
$ strings Password.class

And you'll see that the string is present in the compiled code, and easily accessible.

Ben Taitelbaum
  • 7,343
  • 3
  • 25
  • 45
0

It maybe somewhat better to store the password as a hash. Take a look at Hashing Java

Sualeh Fatehi
  • 4,700
  • 2
  • 24
  • 28
0

You seem to be asking two different questions (or at least it could be interpreted that way).

1) Is it safe to store a password in the source code?

No. See all the other answers, this is never a good idea.

2) Is it safe to use a String to hold a password (or other sensitive data)?

That's a more interesting question. The theory is that due to the way Java pools Strings and their immutability, you cannot guarantee how long they will live in memory. So if you read a password into a String, a heap dump of the processes memory may well reveal that password well after you've stopped using it.

This is an interesting idea but whether it applies depends a lot on context. If you are operating in a hostile environment where you have strong reason to believe that your process's memory might get dumped in a search for sensitive data, then only storing passwords in char[] which can be programatically deleted (set all chars to 0) makes some sense. However, that's only really likely to be the case in client side applications and possibly server side applications in a shared hosting environment where you're co-located with processes you can't trust (opening you up to any number of nasty side channel attacks).

In most cases though, avoiding Strings doesn't make sense. For instance, in many web applications, the frameworks and parsing libraries you use may well convert text sent to you by the client into a String before it ever hits your code. In that case, the point is moot.

Aurand
  • 5,487
  • 1
  • 25
  • 35