Java - 如何存储应用程序中使用的密码? [英] Java - How to store password used in application?

问题描述

我正在开发一个从数据库读取一些数据的应用程序.与数据库的连接是通过标准的登录/密码机制执行的.

I'm developing an application which read some data from a db. The connection to the db is performed through standard login/password mechanism.

问题是:如何存储db密码?如果我将其存储为类成员，则可以通过反编译操作轻松检索.

The problem is: how to store the db password? If I store it as a class member, it can be easily retrieved through a decompiling operation.

我认为混淆并不能解决问题，因为在混淆代码中也可以很容易地找到字符串密码.

I think that obfuscation doesn't solve the problem, since a string password can be found easily also in obfuscated code .

有人有建议吗?

推荐答案

永远不要将密码硬编码到您的代码中.这是最近在 Top 25最危险的编程错误

Never hard-code passwords into your code. This was brought up recently in the Top 25 Most Dangerous Programming Mistakes

将秘密帐户和密码硬编码到您的软件中非常方便——对于熟练的逆向工程师而言.如果所有软件的密码都相同，那么当密码不可避免地为人所知时，每个客户都会变得容易受到攻击.而且因为它是硬编码的，所以修复起来非常痛苦.

Hard-coding a secret account and password into your software is extremely convenient -- for skilled reverse engineers. If the password is the same across all your software, then every customer becomes vulnerable when that password inevitably becomes known. And because it's hard-coded, it's a huge pain to fix.

您应该将配置信息(包括密码)存储在应用程序启动时读取的单独文件中.这是防止密码因反编译而泄漏的唯一真正方法(从一开始就不要将其编译成二进制文件).

You should store configuration information, including passwords, in a separate file that the application reads when it starts. That is the only real way to prevent the password from leaking as a result of decompilation (never compile it into the binary to begin with).

查看这个精彩的答案以获得更详细的解释:威廉·布伦德尔

See this wonderful answer for more detailed explanation : By William Brendel

这篇关于Java - 如何存储应用程序中使用的密码?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！