Geek Answers Handbook

Can anyone steal a password from a Java application?

Suppose there is a string variable that contains the plaintext password.

Is it possible to read this password using a memory dump. (Suppose I'm using a cheat engine.) I'm puzzled by this JVM. Does the JVM provide some protection against this. If not, what methods should I use to avoid such a theft.

The practical threat will be the trojan; which sends dump segments to the outside.

+6
java password-protection
source share
5 answers

As already noted, yes, anyone can extract a password in different ways. Encrypting the password does not really help - if it is decrypted by the application, then the decrypted form will also be present at some point, and the decryption key (or code) itself will become a vulnerability. If it is sent somewhere else in an encrypted form, then just knowing the encrypted form is enough to fake the transaction, so this also does not help.

Basically, as long as the “attacker” is also the “sender,” you will end up being hacked — which is why the music and video industry cannot get DRM to work.

I suggest you take a copy of Applied Cryptography and read the first section, Cryptographic Protocols. Without even going into the math of actual cryptography, this will give you a good overview of all kinds of design patterns in this area.

+11
source share

If you save the password in text form in your application, someone can read it by playing with memory dumps, regardless of the language or runtime that you use.

To reduce the likelihood of this, just keep the password in plain text when you really need to, then reset or encrypt it. It should be noted here that JPasswordField returns char [], not a string. This is because you are not in control when String disappears. While you also cannot control when the char [] disappears, you can fill it with junk when you are done with the password.

I say “reduce” because it will not stop anyone. As long as the password is in memory, it can be restored, and since decryption should also be part of the supplied one, it can also be cracked, leaving your password open.

+7
source share

This has nothing to do with Java - for applications written in any language, the same problem exists (if it really is):

  • If the executable file contains a password, regardless of how confused or encrypted it is, everyone who has access to the executable file can find out the password.
  • If the application temporarily knows the password or key (for example, as part of a network verification protocol), anyone who can monitor the memory in which the application is running can find out the password.

The latter is usually not considered a problem, since a modern OS does not allow arbitrary applications to monitor each other's memory, and escalation of attack privileges usually depends on different attack vectors.

+4
source share

If the program knows the password, any user using the program can retrieve the password.

+2
source share

In theory, you can just hook it up to the debugger ... set a breakpoint ... and read the contents of the line

+2
source share

More articles:


All Articles