0

Is it safe to store password in a static variable after it is read from properties file? I see that there are best practices regarding passwords should not be stored in strings (java), but I am unable to find people discussing about storing the password in static (string/char[]) variables through out the life of the application.

Will storing password in static variables cause an additional threat of the password being exposed to the external world? Should the password variable be disposed after connection to an external system is created?

Abhishek K
  • 645
  • 1
  • 11
  • 23
  • The password should almost certainly not be in a static variable. Besides the security implications, this also reduces reusability of the class that contains this static variable, as this is then effectively a singleton. – Hulk Jul 12 '21 at 12:29

1 Answers1

0

For Storing the password in local storage

  1. You can encrypt the password and store it into the static while using again you can decrypt the password again into a normal string password.
  2. You can create SQLite DB and store it that in encrypted mode.
  3. You can also store it in the Shared shared preferences in encrypted form

For Encryption and Decryption you can use this reference: a SO post

auspicious99
  • 3,902
  • 1
  • 44
  • 58
Sachin Yadav
  • 303
  • 4
  • 12
  • passwords should *not* be decrypted to "normal" Strings (because they are immutable, they persist a lot longer in memory than required and therefore increase the risk of leaking the plaintext password). – Hulk Jul 12 '21 at 12:35
  • This is why client-side databases are rare - they are virtually impossible to secure. You should, if you *must* have a database client-side, enter the password at runtime. Inadvisable though. – g00se Jul 12 '21 at 12:59