I know that hardcoding passwords into a program is something insecure by nature. Most of them can be cracked by reverse engineering tools such as IDA Pro. However, if one had no choice other than to do so, would there be a secure way to do it?
I need to release a small Java client app to a small group of users and need to hardcode an authentication token. Any advice?
Thanks
If you must, Java has a GuardedString class, similar to the SecureString class in C#.
Secure string implementation that solves the problems associated with keeping passwords as java.lang.String. That is, anything represented as a String is kept in memory as a clear text password and stays in memory at least until it is garbage collected.
The GuardedString class alleviates this problem by storing the characters in memory in an encrypted form. The encryption key will be a randomly-generated key.
In their serialized form, GuardedString will be encrypted using a known default key. This is to provide a minimum level of protection regardless of the transport. For communications with the Remote Connector Framework it is recommended that deployments enable SSL for true encryption.
Applications may also wish to persist GuardedStrings. In the case of Identity Manager, it should convert GuardedStrings to EncryptedData so that they can be stored and managed using the Manage Encryption features of Identity Manager. Other applications may wish to serialize APIConfiguration as a whole. These applications are responsible for encrypting the APIConfiguration blob for an additional layer of security (beyond the basic default key encryption provided by GuardedString).
