Java - 如何存储应用程序中使用的密码?
我正在开发一个从数据库读取一些数据的应用程序.与数据库的连接是通过标准的登录/密码机制执行的.
I'm developing an application which read some data from a db. The connection to the db is performed through standard login/password mechanism.
问题是:如何存储db密码?如果我将其存储为类成员,则可以通过反编译操作轻松检索.
The problem is: how to store the db password? If I store it as a class member, it can be easily retrieved through a decompiling operation.
我认为混淆并不能解决问题,因为在混淆代码中也可以很容易地找到字符串密码.
I think that obfuscation doesn't solve the problem, since a string password can be found easily also in obfuscated code .
有人有建议吗?
推荐答案
永远不要将密码硬编码到您的代码中.这是最近在 Top 25最危险的编程错误
Never hard-code passwords into your code. This was brought up recently in the Top 25 Most Dangerous Programming Mistakes
将秘密帐户和密码硬编码到您的软件中非常方便——对于熟练的逆向工程师而言.如果所有软件的密码都相同,那么当密码不可避免地为人所知时,每个客户都会变得容易受到攻击.而且因为它是硬编码的,所以修复起来非常痛苦.
Hard-coding a secret account and password into your software is extremely convenient -- for skilled reverse engineers. If the password is the same across all your software, then every customer becomes vulnerable when that password inevitably becomes known. And because it's hard-coded, it's a huge pain to fix.
您应该将配置信息(包括密码)存储在应用程序启动时读取的单独文件中.这是防止密码因反编译而泄漏的唯一真正方法(从一开始就不要将其编译成二进制文件).
You should store configuration information, including passwords, in a separate file that the application reads when it starts. That is the only real way to prevent the password from leaking as a result of decompilation (never compile it into the binary to begin with).
查看这个精彩的答案以获得更详细的解释:威廉·布伦德尔
See this wonderful answer for more detailed explanation : By William Brendel
相关文章