Hard-coded Passwords

Hard-coded Passwords
Tags:

Overview

Hard-coded passwords and secrets are easily leaked through source code, binaries, backups, and logs.

Impact

Once exposed, the same secret may compromise every deployed environment that uses it.

Countermeasures

Use a secret manager or protected environment configuration, rotate secrets, and keep credentials out of source control.

Examples

public Connection DBConnect(String url, String id) {
    try {
        String url = props.getProperty("url");
        String id = props.getProperty("id");
        conn = DriverManager.getConnection(url, id, "tiger");
    } catch (SQLException e) {
        System.err.println("...");
    }
    return conn;
}

public Connection DBConnect(String url, String id) {
    try {
        String url = props.getProperty("url");
        String id = props.getProperty("id");
        String pwd = props.getProperty("passwd");
    ...
    byte[] decrypted_pwd = cipher.doFinal(pwd.getBytes());
    pwd = new String(decrypted_pwd);
    conn = DriverManager.getConnection(url, id, pwd);
    } catch (SQLException e) {
        System.err.println("...");
    }
    return conn;
}