8

I have a program that connect to a web site and do changes on its content. The program login first to have right to change the content. Now I want I pass the program to other peoples so they can run the program to help me finish the task.

The program can only login under my account and I don't want to pass the password. I decided to hard code the password like this :

String username = "username";
String password = "password";
login(username, password);

How to make sure that it will be impossible to recover the password ? If it's impossible what to do to make the operation of recovering hard ? Or what the better way for my problem ?

Hunsu
  • 3,281
  • 7
  • 29
  • 64

4 Answers4

9

How to make sure that it will be impossible to recover the password ?

If it was impossible to recover, the program couldn't recover it either and it would be useless.

If it's impossible what to do to make the operation of recovering hard ?

Yes, don't call it password. Something very simple is,

String p = "kjasghfdkgasdfjlkasfljkahgdsfjhgdjsfh".substring(8, 15);

Or what the better way for my problem ?

Trust the people trying to help you. Give the account as limited access to do the work as possible and change the password regularly so what while they could work out, they won't have access for long.

Peter Lawrey
  • 525,659
  • 79
  • 751
  • 1,130
5

If the other people have their own accounts on the website, then you can avoid giving away your own account. Put the username and password in a configuration file separate from your program - approximately like this:

Properties login = new Properties();
try (FileReader in = new FileReader("login.properties")) {
    login.load(in);
}
String username = login.getProperty("username");
String password = login.getProperty("password");

and create a file login.properties containing this:

username=your_username_here
password=your_password_here

When you give other people the program, give them just the program, and not the configuration file. Give them instructions to create the file with their own username and password.

user253751
  • 57,427
  • 7
  • 48
  • 90
2

Obfuscate it by storing the password in an array and having the array connected to a complex system of if statements, switch statements, etc. The more complex the better. Have a look at https://gist.github.com/jorgeatorres/442094 for an example of someone doing this with Hello World. Also, don't call it 'password'...

BenjaminJB
  • 138
  • 13
  • I'm doing something similar to this. I'm not looking for an 'uncrackable' algorithm, I'm just looking for a way to increase the time required to find the password. Basically, I have one algorithm that takes a password, matches it to a grid of characters using a built in algorithm, and that spits out a series of movements and mathematical statements in the form of a byte array. The byte array is what you store in your program, and you pass it back into the algorithm to get your password back out of it. The byte array is read backwards. It adds complexity, which is all I really want. – Krythic Feb 20 '18 at 21:07
1

You can put your password in in an encrypted format and decrypt it inside your program HOWEVER having a password in your program at all is NOT recommended.

I am assuming this happens via FTP? I recommend you make a login form and let users fill in their own login. You could make an FTP account for each user or whatever.

No matter how much you try to hide it. It's still there and it will still be found.

Limnic
  • 1,826
  • 1
  • 20
  • 45
  • He will be shipping any encrypting algorithm his code uses - with the code :P – TheLostMind Aug 09 '14 at 10:07
  • That is why I said it's not recommended. Perhaps I didn't make it clear. – Limnic Aug 09 '14 at 10:07
  • This happen via https it's on Wikipedia. To make the changes you must have a bot account. – Hunsu Aug 09 '14 at 10:08
  • Well what you are doing is sort of hard to make secure. If you make the authentication happen server-side, anyone can still authenticate with it because there is no other form of authentication. If you want the easiest way you can do what @BenjaminJB said and hope nobody figures it out. – Limnic Aug 09 '14 at 10:12