CODEWITHSUNDEEP
java
Sergey V.
Sergey V.

Reputation: 81

replacing hard coded credentials

I built a simple java app. However, I can't understand how could I secure this app to avoid hard-coded passwords that a decompiler won't be able to reveal.

LoginMain

import java.util.Scanner;

public class LoginMain {

    public static void main(String[] args) {
        String Username;
        String Password;
        Password = "admin";
        Username = "admin";
        Scanner input1 = new Scanner(System.in);
        System.out.println("Enter Username : ");
        String username = input1.next();
        Scanner input2 = new Scanner(System.in);
        System.out.println("Enter Password : ");

        String password = input2.next();
        if (username.equals(Username) && password.equals(Password)) {
            System.out.println("Access Granted! Welcome!");
        } else if (username.equals(Username)) {
            System.out.println("Invalid Password!");
        } else if (password.equals(Password)) {
            System.out.println("Invalid Username!");
        } else {
            System.out.println("Invalid Username & Password!");
        }
    }
}

LoginNew.java

import java.util.Scanner; 

public class LoginNew {
    public static void main(String[] args) {
        String Username;
        String Password;
        Scanner scan = new Scanner (new File("1.txt"));
        Scanner input1 = new Scanner(System.in);
        System.out.println("Enter Username : ");
        String username = input1.next();
        Scanner input2 = new Scanner(System.in);
        System.out.println("Enter Password : ");
        String password = input2.next();

        if (username.equals(Username) && password.equals(Password)) {
            System.out.println("Access Granted! Welcome!");
        } else if (username.equals(Username)) {
            System.out.println("Invalid Password!");
        } else if (password.equals(Password)) {
            System.out.println("Invalid Username!");
        } else {
            System.out.println("Invalid Username & Password!");
        }
    }
}

However, the system presents me :

loginNew.java:9: error: cannot find symbol
        Scanner scan = new Scanner (new File("1.txt"));
                                        ^
  symbol:   class File
  location: class loginNew
1 error
Error: Could not find or load main class loginNew

I created the file 1.txt with my credentials: Password = "admin"; Username = "admin"; Simple stuff but Im lost. sorry..

Upvotes: 3

Views: 2949

Answers (1)

mkasberg
mkasberg

Reputation: 17342

Normally, passwords wouldn't even be stored in the application code - they'd be validated against a database or some other data source. But throwing those concerns aside for a moment...

The answer to your question is to use a one-way hash. That is, encrypt the password with a hash function that can't be reversed. When the user types in a password, hash it and compare it to the hash that's stored in your application code. (Replace the password variable with a passwordHash variable.) Because the hash can't be (easily) decrypted, it's more secure than storing the plain-text password in your application source (or database, or wherever else you may be storing hashed passwords).

As others have alluded to, cryptographic hashing (and application security) can get complex very quickly, and isn't particularly friendly for beginners to work with. So this answer might help you understand some concepts, but you might need a bit more to secure a production-quality application.

Upvotes: 4

Related Questions