How to Securely Handle Passwords in Source Code?

Handling Passwords Securely in Source Code

In the context of accessing a RESTful API using basic authentication, storing the username and password in plaintext is a security risk. To enhance security, consider the following recommendations:

1. Convert Passwords to Character Arrays

Replace the plain text password with a character array. This prevents the use of String objects, which retain data after being set to null.

2. Encrypt Credentials and Decrypt Temporarily

Encrypt the credentials with an algorithm such as Triple Data Encryption Standard (3DES) before storing them. Decrypt them only during the authentication process.

3. Store Credentials Externally

Avoid hard-coding credentials. Instead, store them in a centralized location, such as a configuration file or database. Encrypt them before saving the file, and optionally apply another layer of encryption to the file itself.

4. Protect Transmission

Use Transport Layer Security (TLS) or Secure Sockets Layer (SSL) to secure the transmission process.

5. Obfuscate Code

Apply obfuscation techniques to your compiled code to conceal sensitive data.

Example of Password Encryption and Decryption:

The following code sample demonstrates the first and second steps outlined above:

import java.util.Arrays;
import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.PBEParameterSpec;

public class PasswordEncryptionExample {
    private static final char[] PASSWORD = "Unauthorized_Personel_Is_Unauthorized".toCharArray();
    private static final byte[] SALT = {
            (byte) 0xde, (byte) 0x33, (byte) 0x10, (byte) 0x12,
            (byte) 0xde, (byte) 0x33, (byte) 0x10, (byte) 0x12
    };

    public static void main(String[] args) throws Exception {
        String password = "LetMePass_Word";
        char[] passwordArray = password.toCharArray();
        
        SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("PBEWithMD5AndDES");
        SecretKey key = keyFactory.generateSecret(new PBEKeySpec(PASSWORD));
        Cipher pbeCipher = Cipher.getInstance("PBEWithMD5AndDES");
        pbeCipher.init(Cipher.ENCRYPT_MODE, key, new PBEParameterSpec(SALT, 20));

        byte[] encryptedPassword = pbeCipher.doFinal(passwordArray);
        
        // Cleanup password data sources
        Arrays.fill(passwordArray, (char) 0);
        Arrays.fill(encryptedPassword, (byte) 0);
        
        // Decrypt the encrypted password
        pbeCipher.init(Cipher.DECRYPT_MODE, key, new PBEParameterSpec(SALT, 20));
        byte[] decryptedPassword = pbeCipher.doFinal(encryptedPassword);
        
        String decryptedPasswordString = new String(decryptedPassword);
        System.out.println("Decrypted password: " + decryptedPasswordString);
    }
}

The above is the detailed content of How to Securely Handle Passwords in Source Code?. For more information, please follow other related articles on the PHP Chinese website!