I have a username and password in my Java app to call an external API. I would like obfuscate these credentials' strings and not hardcode them in plain text inside source code.
Any tip how I can do that?
Asked
Active
Viewed 454 times
-1
-
3I would argue against ever saving credentials hard-coded, even if obfuscated. That's a recipe for desaster. However, there are lots of options. Simple Ceasar comes to mind first. Or make some sort of Enigma-machine. – Bart Barnard Jan 24 '22 at 15:18
-
you should externalize these as command line arguments. – J Asgarov Jan 24 '22 at 15:20
-
1[Handling passwords used for auth in source code](https://stackoverflow.com/q/12937641/3890632) – khelwood Jan 24 '22 at 15:20
1 Answers
0
If the credentials are in an app on an insecure client device, then there is no way to secure them 100%. The common solution is to avoid storing username/password but instead have the user login once to obtain a token from the (secure) application server. This token is stored on the insecure device as securely as feasible, and refreshed on a regular basis: When the token nearly expires, it is used to authenticate with the server and obtain a new token. In this way, if the token is stolen it will not grant access indefinitely.
Adriaan Koster
- 15,870
- 5
- 45
- 60
-
I know is not the most correct way to have some security, but at this point i just like to obfuscate the plain text string's – Nuno Santos Jan 24 '22 at 15:40
-
You could apply Base64 encoding. But you have to promise that this does not go into production :-) – Adriaan Koster Jan 25 '22 at 08:39