如何在 Java 源代码中隐藏硬编码密码
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/25217341/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to hide harded coded password in Java source code
提问by Hunsu
I have a program that connect to a web site and do changes on its content. The program login first to have right to change the content. Now I want I pass the program to other peoples so they can run the program to help me finish the task.
我有一个程序可以连接到网站并对其内容进行更改。程序先登录才有更改内容的权利。现在我希望我将程序传递给其他人,以便他们可以运行程序来帮助我完成任务。
The program can only login under my account and I don't want to pass the password. I decided to hard code the password like this :
该程序只能在我的帐户下登录,我不想传递密码。我决定像这样对密码进行硬编码:
String username = "username";
String password = "password";
login(username, password);
How to make sure that it will be impossible to recover the password ? If it's impossible what to do to make the operation of recovering hard ? Or what the better way for my problem ?
如何确保无法恢复密码?如果不可能怎么做才能使恢复操作变得困难?或者有什么更好的方法可以解决我的问题?
回答by Peter Lawrey
How to make sure that it will be impossible to recover the password ?
如何确保无法恢复密码?
If it was impossible to recover, the program couldn't recover it either and it would be useless.
如果无法恢复,程序也无法恢复,也就没有用了。
If it's impossible what to do to make the operation of recovering hard ?
如果不可能怎么做才能使恢复操作变得困难?
Yes, don't call it password. Something very simple is,
是的,不要称之为密码。很简单的一点是,
String p = "kjasghfdkgasdfjlkasfljkahgdsfjhgdjsfh".substring(8, 15);
Or what the better way for my problem ?
或者有什么更好的方法可以解决我的问题?
Trust the people trying to help you. Give the account as limited access to do the work as possible and change the password regularly so what while they could work out, they won't have access for long.
相信那些试图帮助你的人。为帐户提供尽可能有限的访问权限以完成工作并定期更改密码,以便他们可以工作,但他们不会长时间访问。
回答by user253751
If the other people have their own accounts on the website, then you can avoid giving away your own account. Put the username and password in a configuration file separate from your program - approximately like this:
如果其他人在网站上有自己的帐户,那么您可以避免泄露自己的帐户。将用户名和密码放在与您的程序分开的配置文件中 - 大致如下:
Properties login = new Properties();
try (FileReader in = new FileReader("login.properties")) {
login.load(in);
}
String username = login.getProperty("username");
String password = login.getProperty("password");
and create a file login.propertiescontaining this:
并创建一个login.properties包含以下内容的文件:
username=your_username_here
password=your_password_here
When you give other people the program, give them just the program, and not the configuration file. Give them instructions to create the file with their own username and password.
当你给其他人程序时,只给他们程序,而不是配置文件。向他们提供使用他们自己的用户名和密码创建文件的说明。
回答by BenjaminJB
Obfuscate it by storing the password in an array and having the array connected to a complex system of if statements, switch statements, etc. The more complex the better. Have a look at https://gist.github.com/jorgeatorres/442094for an example of someone doing this with Hello World. Also, don't call it 'password'...
通过将密码存储在一个数组中并将该数组连接到一个复杂的 if 语句、switch 语句等系统来混淆它。越复杂越好。请查看https://gist.github.com/jorgeatorres/442094,了解某人使用 Hello World 执行此操作的示例。另外,不要称它为“密码”...
回答by Limnic
You can put your password in in an encrypted format and decrypt it inside your program HOWEVER having a password in your program at all is NOT recommended.
您可以将密码以加密格式输入并在您的程序中解密,但不建议在您的程序中使用密码。
I am assuming this happens via FTP? I recommend you make a login form and let users fill in their own login. You could make an FTP account for each user or whatever.
我假设这是通过 FTP 发生的?我建议您制作一个登录表单,让用户填写自己的登录信息。您可以为每个用户或其他任何人创建一个 FTP 帐户。
No matter how much you try to hide it. It's still there and it will still be found.
不管你多么想隐藏它。它仍然在那里,它仍然会被找到。
