replacing hard coded credentials

Question

I built a simple java app. However, I can't understand how could I secure this app to avoid hard-coded passwords that a decompiler won't be able to reveal.

LoginMain

import java.util.Scanner;

public class LoginMain {

    public static void main(String[] args) {
        String Username;
        String Password;
        Password = "admin";
        Username = "admin";
        Scanner input1 = new Scanner(System.in);
        System.out.println("Enter Username : ");
        String username = input1.next();
        Scanner input2 = new Scanner(System.in);
        System.out.println("Enter Password : ");

        String password = input2.next();
        if (username.equals(Username) && password.equals(Password)) {
            System.out.println("Access Granted! Welcome!");
        } else if (username.equals(Username)) {
            System.out.println("Invalid Password!");
        } else if (password.equals(Password)) {
            System.out.println("Invalid Username!");
        } else {
            System.out.println("Invalid Username & Password!");
        }
    }
}

LoginNew.java

import java.util.Scanner; 

public class LoginNew {
    public static void main(String[] args) {
        String Username;
        String Password;
        Scanner scan = new Scanner (new File("1.txt"));
        Scanner input1 = new Scanner(System.in);
        System.out.println("Enter Username : ");
        String username = input1.next();
        Scanner input2 = new Scanner(System.in);
        System.out.println("Enter Password : ");
        String password = input2.next();

        if (username.equals(Username) && password.equals(Password)) {
            System.out.println("Access Granted! Welcome!");
        } else if (username.equals(Username)) {
            System.out.println("Invalid Password!");
        } else if (password.equals(Password)) {
            System.out.println("Invalid Username!");
        } else {
            System.out.println("Invalid Username & Password!");
        }
    }
}

However, the system presents me :

loginNew.java:9: error: cannot find symbol
        Scanner scan = new Scanner (new File("1.txt"));
                                        ^
  symbol:   class File
  location: class loginNew
1 error
Error: Could not find or load main class loginNew

I created the file 1.txt with my credentials: Password = "admin"; Username = "admin"; Simple stuff but Im lost. sorry..

Please follow Java naming conventions : packages, attributes, variables, parameters, method have to start in **lowerCase**, while class, interface should start in **UpperCase** && no need to split declaration and assignation, you can do it in one line — azro, Nov 27 '18 at 22:26
Solution : hash password, and keep only this hash, then after enter the passwd, hash it and compare if they are equal. But if you are "a noob" you should not start with that kind of problem, because you are probably not building app that require such security ;) — azro, Nov 27 '18 at 22:27
@azro The OP should also salt the password to make it more secure. — SamHoque, Nov 27 '18 at 22:28
@SamzSakerz sure, but I thought that introduce too much stuff would just add confusion, if the notions are new, let start small — azro, Nov 27 '18 at 22:29
You see that `String[] args`? It lets you type information (e.g., credentials) on the command line and read them in your Java program. — chrylis -cautiouslyoptimistic-, Nov 27 '18 at 22:37

score 4 · Accepted Answer · answered Nov 27 '18 at 22:43

4

Normally, passwords wouldn't even be stored in the application code - they'd be validated against a database or some other data source. But throwing those concerns aside for a moment...

The answer to your question is to use a one-way hash. That is, encrypt the password with a hash function that can't be reversed. When the user types in a password, hash it and compare it to the hash that's stored in your application code. (Replace the password variable with a passwordHash variable.) Because the hash can't be (easily) decrypted, it's more secure than storing the plain-text password in your application source (or database, or wherever else you may be storing hashed passwords).

As others have alluded to, cryptographic hashing (and application security) can get complex very quickly, and isn't particularly friendly for beginners to work with. So this answer might help you understand some concepts, but you might need a bit more to secure a production-quality application.

answered Nov 27 '18 at 22:43

mkasberg

16,022
3
42
46

Would it be an option for me to create separate file for credentials? I thought it might work, but it doesnt I think I'm missing a point somewhere: – Sergey V. Nov 28 '18 at 00:51
1

Sure, create a file called `credentials.txt` and put the password and/or username in there. Your application will need to read the password out of the file and compare it against the user's input during login. But regardless of _where_ you store the password (code, file, database, etc), you're just moving the problem around. You still have an unencrypted password _somewhere_ unless you hash it. – mkasberg Nov 28 '18 at 02:12
For an example of a hashing algorithm, Spring provides one called BCrypt that's relatively common. https://dzone.com/articles/storing-passwords-securely-with-bcrypt-and-java – mkasberg Nov 28 '18 at 02:14

replacing hard coded credentials

1 Answers1

Linked