Java - 如何存储应用程序中使用的密码？ [英] Java - How to store password used in application?

问题描述

我正在开发一个从数据库读取一些数据的应用程序。
与db的连接是通过标准的登录/密码机制完成的。

I'm developing an application which read some data from a db. The connection to the db is performed through standard login/password mechanism.

问题是：如何存储db密码？
如果我将它存储为类成员，可以通过反编译操作轻松检索它。

The problem is: how to store the db password? If I store it as a class member, it can be easily retrieved through a decompiling operation.

我认为混淆不能解决问题，因为也可以在混淆的代码中轻松找到字符串密码。

I think that obfuscation doesn't solve the problem, since a string password can be found easily also in obfuscated code .

任何人都有建议吗？

推荐答案

永远不要将密码硬编码到代码中。最近在 Top 25中提到了这一点。最危险的编程错误

Never hard-code passwords into your code. This was brought up recently in the Top 25 Most Dangerous Programming Mistakes

将秘密帐户和密码硬编码到软件中非常方便 - 对于熟练的逆向工程师。如果所有软件的密码相同，那么当密码不可避免地被人知晓时，每个客户都会变得脆弱。而且由于它是硬编码的，修复起来非常痛苦。

Hard-coding a secret account and password into your software is extremely convenient -- for skilled reverse engineers. If the password is the same across all your software, then every customer becomes vulnerable when that password inevitably becomes known. And because it's hard-coded, it's a huge pain to fix.

您应该将配置信息（包括密码）存储在单独的文件中应用程序在启动时读取。这是防止密码因反编译而泄漏的唯一真正方法（永远不要将其编译成二进制文件开始）。

You should store configuration information, including passwords, in a separate file that the application reads when it starts. That is the only real way to prevent the password from leaking as a result of decompilation (never compile it into the binary to begin with).

查看更多精彩答案了解更多信息详细解释： William Brendel

See this wonderful answer for more detailed explanation : By William Brendel

这篇关于Java - 如何存储应用程序中使用的密码？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！