2

I'm having a problem with my java code. My teacher at university asked me to use "kiuwan" as online code evaluator and he found this problem on my code:

Hardcoded credentials (username / password) are visible to any person reading the source code. If the resource protected by such hardcoded credentials is important, this may compromise system security. With hardcoded credentials, change is difficult. If the target account is compromised, and the software is deployed in production, a code change is needed, which forces a redeployment. Please note that source code access is not always necessary: if an attacker has access to the JAR file, he/she may dis-assembly it to recover the password in clear.

And it found this problem on my 3 querys:

public static final String CHECK_USER = "SELECT nome FROM utenti WHERE nome=? AND password=?";
public static final String INSERT_USER = "INSERT INTO utenti (nome, password) VALUES (?, ?)";
public static final String CHECK_USER_NAME = "SELECT nome FROM utenti WHERE nome=?";

How can I fix it? I made them in this way (picking up the info from the textfields) to make the login and check on the database.

Thanks to everyone!

Claudio
  • 123
  • 3
  • 15
  • Actually your teacher doesn't mention about how your sql queries are structured, what he/she mentiones about your connection credentials, most probably you've used hardcoded database connection with clear username and password info, this called as bad practice on coding choices. An example like yours could be http://stackoverflow.com/questions/11634379/username-password-etc-hardcoded-into-program-how-to-pick-them-up-from-a-file – Hayra Jan 16 '17 at 10:45
  • Check this:- http://stackoverflow.com/questions/12937641/handling-passwords-used-for-auth-in-source-code – Amit Bhati Jan 16 '17 at 10:52

1 Answers1

4

I don't think your teacher is talking about those queries. I think he / she is talking about how your code creates its database connection. He / she has spotted that you have hardwired the user name and password for the database account into your Java code.

A simple solution for this is to read the database account details from a configuration file ... though now you have the problem of keeping the config file secure.

(Why do I think this? Because the text you quoted from your teacher talks about reading a password from the source code or a JAR file ... not from the database.)

For the record, it is also a bad idea to store passwords in the database. But that is not what your teacher is talking about.

Techniques for avoiding storing passwords in the database are more difficult. A typical solution is to create a seeded crypto-hash for the password, and store that in the database. But means that you can't recover the original password. If you need to do that, then things get even more "hairy" ... from a security perspective.

Stephen C
  • 698,415
  • 94
  • 811
  • 1,216
  • "create a seeded crypto-hash for the password" +1 – Sid Jan 16 '17 at 10:58
  • the "quoted text" is from kiuwan (the online evaluator) not from my teacher... anyway I don't know how to fix it @Stephen C – Claudio Jan 16 '17 at 13:35
  • @ClaudioCiociola - 1) Your teacher (presumably) endorses what "kiuwan" is telling you. 2) Since you haven't shown us the relevant parts of code, I don't see how I can tell you how to fix it. (Apart from what I've already said; i.e. paragraph 2 of my answer.) – Stephen C Jan 16 '17 at 13:43
  • @ClaudioCiociola - 3) You wrote *"My teacher at university asked me to use "kiuwan" as online code evaluator and **he** found this problem on my code:"* In English, you do not refer to a website as "he" or "she". It is an "it". So the "he" in your sentence refers to your teacher! (Just pointing out the cause of the miscommunication ...) – Stephen C Jan 23 '17 at 22:57